With only 3 weeks and 3 days to go to the GDPR deadline, I’ve noticed more and more posts on LinkedIn from people claiming that if you store this particular data, you’ll be in breach of the regulation and be fined. Of course they are probably hoping that you’ll bite, and contact them so they can make some money. I cant help but respond to say where they are wrong, as I really do not want to see people taken for a ride.
The reality is that if you have not started now, then you have more than likely left things too late to become fully compliant by the 25th May – but all is not lost. There are plenty of sites that can offer proper advice and guidance, rather than scaremongering and half truths. I found the https://ico.org.uk/ site to be a great resource, and I certainly referred to this when I started my PM role working on GDPR back in mid February.
I find this to be an interesting piece of legislation – it makes good sense and really is something that we should have already been doing. Even now we are still seeing breach notifications (Twitter being the latest one), so the principles of managing data that we collect as organisations, is a sound one. With the rights attributed to us as individuals/citizens of the EU, we also have a corresponding list of responsibilities as citizens of the EU who gather data on other citizens.
The principle of Privacy by Design elevates Security to the forefront, and forces organisations to do more than pay lip service to securing the data that they collect about us. What’s not to like? I think we have all had enough of seeing data breach notifications.
The principle of having a legal basis to collect and use data ensures that the data collected is justified legally, is only to be used for that purpose, only the amount of data needed is collected and stored, and the data is only to be retained for the period of time that it is needed.
Organisations also now need to ensure that there are ways to amend, delete or export data when requested by individuals, using the right to have data corrected, right to be erased, right to see the data collected about them, or the right to port the data to another organisation in a flat file format (e.g. CSV).
This legislation has created a lot of work across the EU, however the end result has got to be positive for everyone. Organisations have less data to store – so there are cost savings to be made. And it will help employees adopt good data management habits, not storing everything in forgotten folders for years ‘in case we need it’. It would be interesting to see just how much storage is saved overall!
A lot of the work we have had to do is in mapping datasets. What do we have, where is it stored, why is it needed, who has access, is it secured, what types of personal data are stored, how long is it retained etc. Even if you are starting late, I would recommend looking at the data you currently have, log what you have and why – the legal basis.
Look at your sales and marketing areas – how will you ensure that you have a legal basis to contact prospective customers or to send out marketing communications?.
Clean up old files wherever they are stored – Emails, Folders, Sharepoint sites etc.
Sales teams will look at utilisation in order to spot upsell opportunities – but do you need names or email addresses, or are the raw figures helpful for trend analysis? Removing certain personal data from a file is as valid as removing the file itself.
All of these are steps that can be taken to ensure compliance.
Whilst the legislation comes into effect on 25th May, I would like to think that any inspectors will take a more lenient view on an organisation who can demonstrate progress in becoming compliant, rather than having ignored things and made no steps at all. That is my own view though, not an official one!
But that is not the end of the story. GDPR only starts on the 25th May – there needs to be a change in how data is managed from that date in order to remain compliant, and be able to prove compliance.
This work is not going to go away, and it will have a long lasting effect on how we all do our day jobs in the future.