Whether or not you’re ready, GDPR (General Data Protection Regulation) is coming. With only 26 weeks left before implementation there is much more that can (and should be) done by publishers and authors, not least mapping what ‘personal’ data you have. This can mean anything from actual names to associated data that can identify an individual. In over simplistic terms think three things that you should be able to answer if an individual or ICO were to ask you:
- What personal data have you got on each individual?
- Why have you got it?
- What are you going to do with it?
You need to tick all three boxes, not just one or two, without hesitations, otherwise you may be subject to an Enforcement which would certainly be both financially and reputationally damaging.
What should you do?
Look at the personal data you hold, and unless you can BOTH justify why you are holding it AND show that you have ‘explicit’ consent for each individual then consent should be obtained or the data deleted.
There is no need to hold old databases or personal data on CRMs with people you have not been in contact with for the past 3-10+ years – delete. This includes data on old desktops, laptops, memory sticks, smartphones/mobiles, backup drives, (and for larger groups servers/data centres), index cards, mailing lists, groups of personal contact details online.
Everything should be ‘evidence based’ to justify so in the case of deleting, ‘deletion certificates’ should be produced to show what and when you done. All of this together with the ‘explicit’ consents, (not ‘implicit’ – just tick boxes on the website), should be gathered, chroniclise for audit, and archived in the event of any future challenge.
Encrypt all personal data, be it on a database/CRM, or even an address book on your laptops and mobile device to reduce risk of any loss (as and when hacked) or misuse. Remember you are responsible, even if you use 3rd parties to do tasks for you and they lose, you still are the owner of that personal data, and you will be the one heavily penalised. Equally, regularly back up data, (particularly all ‘personal; data’) so as and when hacked you can restore and continue operating.
What is personal data?
Personal data is any record which can be used to identify a living individual – this can include email address, job title/organisation, IP address, address, phone number, etc. and includes sensitive personal data such as health, religious beliefs, sexual orientation, criminal records, finance/credit card records, etc. In essence, anything that can aid the identity of an individual. This is not just limited to lists, spreadsheets or databases, but includes documentation such as minutes and CVs where an individual is identifiable.
What is data minimisation?
Data minimisation is about collecting and keeping the minimum amount of personal data to enable you to carry out your work. To give what may seem an extreme example, HR may need to keep CVs to demonstrate individuals have certain qualifications, (= ‘legitimate interest’), but they are unlikely to need to keep personal profiles contained in the CV beyond the selection process. This means that HR would be required to redact all personal statements from the CVs held. GDPR requirements really are that granular!
As with current Data Protection legislation, DO NOT share with trusted 3rd parties, unless you have made it clear to individuals that you will be doing this, until they have given their ‘explicit’ consent to do so. When it comes into force, carefully check the GDPR polices of any agencies used. But understand that the data/personal data is owned, used, and belongs to you, so you are ultimately responsible in the event of any breach.
Do I need to start redacting personal data from documentation?
Yes, as soon as you do a mapping exercise above, followed by a cleansing exercise, record your actions to show evidence that you have acted in compliance in the form of a ‘destruction certificate’. All records of action should be archived indefinitely at this stage, in case of any future queries or issues. It should be remembered that this is not a ‘one-off’ exercise but an ongoing, revolving exercise year-in/year-out into the future and should be checked as often as practicable.
Start thinking and planning tomorrow and do this in bite size steps between now and next May. We are not in a perfect world so things will go wrong for all sectors and industries, but you should be able to demonstrate that reasonable actions were taken – it is those who are found wanting and taken little action who will be penalised the heaviest.
So please, DO NOT panic. On the start date of GDPR on 25th May 2018 mountains will not explode and people in black coats will not be knocking on our doors. This is about good policies, processes and generally good housekeeping to ensure that the safety and security of everyone’s personal ID is held as you would want, and expect, your own personal data to be held by others.
Gordon Owen is a hybrid Authorpreneur & e/i-print book publisher at iGO eBooks® in the niche genre of voluntary sector fundraising, governance, organisational and e/iPublishing matters with 31 e/i-print Books in the 4 genre material series providing a guide and reference to techniques, things to consider, and contacts with url links enveloping a coalesce for new, small, and emerging groups / organisations in the voluntary/third sector seeking to improve their engagement with potential funders in the statutory, corporate, and charitable trusts/foundations sectors. Gordon has spent the past two years reading, presenting, including directly with the ICO to organisations and training on GDPR to better understand processes and give good guidance.