Reply to post:

Say GDP-aaaR: UK's Information Commissioner pours £275k fine into London pharmacy's teaspoon

whitepines Silver badge

Why is automation even coming into the picture here? My understanding of the GDPR is that you create some company wide documents (privacy policy, data retention policy, etc.) and check them once to make sure they're in compliance. Then they just sit there, being used to guide designs of any kind of system or process that handles user data.

As far as holes in any database, aren't the two main areas where that would even be any kind of problem invoicing (ERP) and corporate Email? Where a US company could simply say "our retention policy is permanent retention for taxation and legal defense purposes", especially considering the only PII in play would be address, phone, and Email? If those are in a dedicated, segregated, secured system (definitely ERP should be already for business reasons), and marketing has zero access, then it should be considered reasonable retention?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020