GDPR imposes new rules around data protection for any organisation that collects and uses personal data about EU residents. The new regulation is designed to strengthen existing data protection laws and will impact on all organisations, changing the way that they handle, use and store data about the people they contact.
GDPR is based on six privacy principles. These are:
- Personal data must be processed lawfully, fairly and in a transparent manner
- Personal data must only be collected for "specified, explicit and legitimate purposes"
- Data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Personal data must be accurate and where necessary kept up to date
- Personal data that is no longer required should be deleted
- Processors should ensure all personal data they hold is secure.
So the next question is how to turn these principles into a method of compliance?
What should follow from these principles is a set of policies and procedures, appropriate to each organisation and the data it holds.
If you have carried out an information audit, to inventory all of the personal information that you hold, then for each distinct set (contact list, database, pile of paper registration forms) of personal information, you should then be able to frame those privacy principles as a set of questions:
1. Do we hold the data lawfully, fairly and in a transparent manner?
A review of how data was acquired at source may trigger a serious and thorough cull of data that is no longer usable under GDPR.
2. Do we hold the data for specified, explicit and legitimate purposes?
Data can only be held for a reason and not hoarded 'just in case'. In case of what? The scope of your activities should determine if it is appropriate for you to hold onto personal data.
3. Is the data adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed?
If you don't need people's medical history to promote a car boot sale, then you shouldn't hold onto it.
4. Is the data accurate and up to date? How do we maintain it that way over time?
There should be processes in place for checking and updating personal data, not only for the commencement of GDPR but over time. GDPR is very much concerned with consent; individuals may withdraw their consent to be contacted at any time, so it is important to have a robust process for updating their contact status in the future.
5. How do we delete data that is no longer required?
Whether this is a hard deletion or a secure archiving process, you need to know that old, outdated and expired data is reliably removed from your live files.
6. How do we ensure all personal data we hold is secure?
Whether it's a metal filing cabinet under padlock and key, or a fully encrypted Cloud server with access control lists, passwords, two-factor authentication and biometric keys, ALL the personal information that you hold has to be reasonably secured according to the scale and sensitivity of the data held. GDPR is, in large part, a response to the accumulated data breaches of banks, credit agencies and social media. The penalties have been elevated accordingly.
Following posts will look at consents and how to record the granting and withdrawal of consent. RC
Image credit: Privacy written in tiles by Owen Moore, CC BY SA 2.0, via Wikimedia Commons