GDPR – a challenge for company IT systems

There are only seventy days left until the EU’s General Data Protection Regulation (GDPR) comes into effect. From 25th of May, companies that collect and process personal data will have to comply with the obligations brought by these new rules.

Many of the GDPR requirements involve the need to make changes in the IT systems that companies use. Depending on the type of business and the extent to which personal data is processed, the required changes may be more or less complex. Some companies will not only have to adapt their IT systems, but also the procedures for using them. It should be noted that meeting these EU requirements will be much more labour-intensive than just adding a few legal provisions for users, as was the case with cookies.

One of the basic rights acknowledged by GDPR is the right to information, according to which the subjects of the data are entitled to receive information about what data is actually being stored, how and for what purpose.

This requirement should not be particularly difficult to comply with by those service systems where the users can log into them. In such systems, giving the user access to their own data is a standard practice. However, it may prove necessary to complement such data with information on the purpose and method of its processing.

However, for systems that do not allow end-users to independently access their data the situation may be much more problematic. In this case, one potential solution is to use a built-in or external reporting mechanism that allows the system administrator, at the request of the individual, to prepare statements about their data.

Additional difficulties may be encountered if the personal data is stored and processed by several separate systems, or by applications that run in a cloud. Here, special care should be taken to ensure that the information on each data set is complete and accurate.

Another requirement of GDPR is to respect the right to rectification, stating that people have the right to request the correction or to complement data that is incorrect. As with the right to information, the fulfilment of this condition is easier for systems that enable users to log in and edit their own data, without assistance. If the system does not allow this, then it may be necessary to adopt procedures for changing personal data by the controller, such as with the use of database tools.

In this situation, the requirement may prove very complex if the storage and processing of data are done by several systems in the cloud, especially if there are no data synchronisation mechanisms between separate sets.

Moreover, GDPR also provides for the right to transfer the data, according to which the subject of the data has the right to request the delivery of their data in a structured and commonly used machine-readable format, such as PDF or CSV. The IT system must therefore allow the user to export the data in this form, or to provide the controller with the tools necessary to do so (at the user’s request).

Meeting the requirements of the right to be forgotten may prove particularly labour-intensive, because, accordingly, people can request the deletion of all their data from the systems. This applies not only to databases used in applications, but also to all other sets, such as archives, system logs and backups. Thus companies should not only be aware of the need to apply new technical solutions, but also the possible need to change the policies and procedures for recording and archiving data.

For the sake of data integrity, many systems (such as ERP) do not allow the actual removal of data, as they only mark it as invisible. In such cases, it may be necessary to make significant modifications to existing systems or to migrate to solutions that enable removal.

Along with these rights, GDPR also involves a number of other requirements. The issue of applying them to IT systems in companies could form enough material for more than one book. The main conclusion, however, is that the adaptation of systems and applications to the requirements of GDPR must be carried out methodically and in a manner corresponding to the specific needs of the business.

Although there is little time left, it is still not too late to prepare for GDPR, even in large enterprises. In many cases, it is possible to perform temporary activities and apply workarounds that are sufficient to satisfy the requirements and which, over time, can be replaced with better target solutions.

We would like to offer our services in adapting the company’s IT systems to meet the introduction of GDPR. As a team with extensive and long experience in building and maintaining applications and IT tools, and which has been trained in GDPR, we can guarantee comprehensive and effective solutions.

We deal with the customisation of systems based on our primary solutions, such as OTRS, as well as other applications, like ITSM, CRM / ERP or e-commerce. Our specialists look forward to hearing from you.

« Back to News