In my opinion the most important task to prepare for GDPR is to identify and document all the personal data you hold or have access to and what you are using it for.
GDPR defines ‘personal data’ as “any information relating to an identified or identifiable natural person (‘data subject’)”. Essentially GDPR sets out best practice for handling and processing personal data.
It will be really challenging to start on the road to compliance without actually knowing and understanding the personal information you are collecting. One of the fundamental requirements of the GDPR is documenting where the personal data you collected came from. “I think we obtained his/her details from…” will not be good enough to comply and your documentation will be the first thing the Information Commissioner’s Office (ICO) will want sight of in the event of a breach or following up on a complaint.
In any multi-faceted organisation, personal information will be collected by many departments and may also be shared across the organisation. It is therefore important to ensure that there is a clear understanding of what is being collected, by whom and for what purpose. This can be complex in larger organisations but it is worth the effort, believe me.
In smaller organisations, those who are less than five people, the information is usually collected through one or two key routes. Once these are identified, working out what you are collecting and its purpose is much simpler.
If you are collecting any of the sensitive data categories such as information about an individuals health and wellbeing, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data to identify an individual, or information relating to an individual’s sexual orientation or sex life, you will need to take additional steps to secure this information.
So now you have details of what is coming in, what you are using it for and who is collecting it. The next step is to identify where that information is going. Do you have data leaking from your organisation? Take the following steps to find out:
- Identify who is sharing information internally? With whom are they sharing it?
- Can a member of staff (or anyone else for that matter) download any of the personal information you are collecting onto a USB memory drive and walk away with it?
- Are staff creating spreadsheets with information on them because it is easier than using the “proper” system? How is this information then kept up to date?
- Do you have permission to share that information externally?
- Are staff emailing personal information to their personal email addresses? If so consider whether this would be acceptable if the ICO were to investigate.
- Are staff accessing work files using their own devices, mobile phone, laptop, tablet? If so what controls are in place to ensure that the information is secure when accessed via this method?
GDPR requires you to justify the processing (what has happened) and provide evidence on this at each stage. Recent research suggested that less than 1% of organisations knew precisely what individual data they hold, in what form and where.
Going forward it will be key to only hold the personal information you actually need to undertake your processing and nothing more. Any personal data you hold but do not actually need should be securely destroyed. This will ensure you’re complying with GDPR and keeping the information you have up to date.
Some organisations such as JD Wetherspoons, have even gone as far as deleting its customer and email marketing database. Whilst JD Wetherspoons said “Many companies use email to promote themselves, but we don’t want to take this approach, which many consider intrusive”; it seems to relate more to the time and resources required to make it GDPR compliant and keep it secure. The firm suffered a cyberattack in June 2015, when 656,723 customers’ records on their database were hit – email addresses, birth dates, telephone numbers, and a small number of credit and debit card details (around 100) were exposed.
GDPR signals the end of holding personal information for the sake of holding it or “just in case we need it”. Does your organisation only hold what it needs? Finding out what you are collecting and who has access to it will help you comply with the law from 25th May 2018.
Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.