So, by now most of you have heard of the new General Data Protection Regulations coming into force on the 25th of May. Unfortunately, a lot of the information available on the internet has concentrated on the possible fines you might receive if you fail to adhere. I guess this is a way of trying to scare companies into using a consultant to ensure compliance - at least this is how I saw it when I was trying to work out what we here at Qimtek needed to do. It all felt at bit overwhelming and hard to comprehend.
In the end, I attended a course held by BSI - ‘GDPR: Foundation Level’. It was a one-day event, which made me feel much more reassured about what I needed to do to follow the new rules. It also changed my mind about the work involved; rather than being a headache, it was an opportunity to review our processes of collecting and storing data.
So, with this in mind, we began to ask ourselves the following questions and map our data accordingly:
- What data do we keep?
- Why do we collect and keep it?
- How do we collect it?
- For how long do we keep it?
- Where do we keep data?
We are inputting all of this information - and much more - into our Data Management and GDPR policy document. This will be important in ensuring that both new and existing staff understand our business processes now and the future. Obviously, the hard part is keeping this document completely up-to-date once it has been created.
Evaluating our data:
Prior to the dawn of GDPR, one bit of information we kept was a log of everyone coming in and out of the office. This was collected by a facial recognition camera that was introduced when we did not have a security alarm and there was lots of building work going on around our office.
The building work is done and our security has been upgraded, but the camera is still there. So, do we need it?
In the end, I decided it no longer served a purpose and have removed it, along with all the data which had been recorded. One less headache!
Another factor we’re looking into is all of the emails we send to and receive from our members. Do we need to keep them forever and where are they stored? In order to ensure compliance, we are currently deciding how long we will keep them, as well as setting up a process to automatically delete any emails older than X months, whilst documenting our reasoning behind it.
We do have a large CRM system which keeps lots of information, but the majority of this data is about organisations, as opposed to individual people. But again, we need to define what we are recording, keeping and for how long we need it.
Luckily, our website’s privacy and cookie policies - along with our terms & conditions - were pretty straightforward to adapt, as they were recently reviewed. Part of this process had included defining what data we keep and for how long, meaning that only smaller parts of these policies had to be amended.
How can I prepare for GDPR?
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. GDPR operates around six principles, or key points, which dictate that personal data should:
- Be processed lawfully, fairly and transparently.
- Be collected for specified, explicit and legitimate purposes.
- Be adequate, relevant and limited to what is necessary.
- Be recorded accurately.
- Be kept for a reasonable time.
- Be treated with integrity and confidentiality.
These laws come into effect as of the 25th of May 2018. They affect all companies across every industry and therefore, they command a certain level of forward-thinking and planning from all EU businesses.
- Initial steps that companies can take include:
- Establishing whether or not your business is a data processor, i.e. processing personal information.
- Registering with the ICO if indeed you are a data processor.
- Defining what data you hold.
- Identifying how you collect your data.
- Justifying why you need your data.
- Locating where personal data is kept.
It’s also worth checking out GDPR: 12 steps to take now, along with the GDPR checklist, to ensure that you’re covering all of your bases.
Fact or fiction?
It’s imperative that you gain a good grasp on the GDPR laws, whilst sorting the facts from the rumours. If you’re unsure about what to believe, then it’s worth visiting this page on the website of the Information Commission Office. It tackles a few of the most common myths surrounding the new regulations and helps visitors to achieve a higher level of clarity on the subject overall.