By now (I have faith in you) you will have reviewed the 12 steps to General Data Protection Regulations (GDPR) compliance. If you have not or this is the first time you are hearing about this…get your skates on and check out last months post: https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/
the Information Commissioner’s Office (ICO) advice and guidance: https://ico.org.uk/for-organisations/data-protection-reform/
Here are a few of my personal practical tips to take you forward through the first two steps towards compliance – this advice in no way constitutes legal or regulatory advice, it is based on my own personal experience and expertise.
Step 1 Awareness – I am sure you have briefed your employees from top to bottom of the organisation and all sites in all locations and countries on GDPR. Data Protection is everyone’s responsibility. Think about how you will provide on-going communication, reminders, updates and information to new employees – posters, web links, have a point of contact. Do you have a process for managing data security when staff leave?
Formalise “Awareness” as part of your communications strategy.
Create a GDPR strategy, add this to your overall Data Management Strategy with a communications and data quality strand. Advice can be found here on what to consider when creating a data strategy: https://lizhendersondata.wordpress.com/2014/09/28/do-i-need-a-data-strategy/
Step 2 Information you hold – Do you have a list of all the personal data you hold? Firstly have you defined what your personal data is? Ensure your definition is clear, test it on a few people. Is the definition ambiguous, do you need to provide some examples relevant to your organisation?
– Definition below is taken from the “Overview of the GDPR” from ICO
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Now you know what personal data you hold:
- Where is it?
- Is it stored securely?
- Who has access to it, can this access be controlled?
- Where did the data come from?
- Is it accurate?
- Is the data changed, added to (Enriched), deleted, in anyway once you have it?
- What happens to the data once you are happy it is accurate? Or maybe before you are happy with it?
- Who uses it?
- What is it used for?
- Is any of the data communicated to anyone inside or outside of the organisation?
- How would you update this external party or internal team that data has been updated, to enable them to correct their records?
Knowing this about your data is known as “Data Lineage”
There are many tools out there to help document your linage, but if you have a straightforward lineage, a spreadsheet, word or powerpoint explanation and diagram will suffice, if it is clear, comprehensible and can be audited.
Documenting all of your processes and policies that are needed to manage your personal data and answering all the questions above, will help you to comply with the GDPR’s accountability principle.
How about setting up a dashboard with metrics and even a maturity measurement scale to show people your progress through the steps and progress towards compliance. Include some key tips and advice on what your colleagues can do to help. This will help with buy-in and support as it is open, visible and clear what you are doing and where you are with working towards the target compliance date of 25 May 2018!
There is enough here to keep you busy until next time. Good luck!
Image credit: https://www.itgovernance.co.uk/blog/eu-gdpr-infographic-what-the-new-regulation-means-in-1-minute/