A month on from my last article on the subject, we edge ever closer to GDPR coming into effect on the 25th May. Last month, I suggested that you conduct a data audit, made moves to get rid of data that was unnecessary and made sure the data you still have was up to date and accurate. If you’ve managed all that, then you’re in great shape for the months ahead.
Once you have a map of what data assets you have, it’s time to draft policy and procedures for how to deal with it! The good news is, I‘m sure many of you will already have these in place as they’re not too dissimilar to the old Data Protection Act.
Here are some of the most important areas of policy and procedure you should be thinking about in the coming weeks:
- Data retention policy – You need to decide how long you need to keep each of your data assets and records. According to GDPR, data must not be kept beyond the time needed to fulfil its purpose or used beyond that purpose.
- Data security policy – How do you store the data and are there any specific measures your company needs to apply? For example, if you have a database of names and highly personal information, such as medical records, then should it be encrypted? You will also hear a lot about ‘active’ and ‘at rest’ data states. You need to consider measures taken when using the data (active) and measures when the data is sitting on your servers (at rest). It’s your responsibility to make sure the data is secure all of time. You should undertake a risk assessment of what could happen to each data file and justify what procedure should be followed to secure it.
- Data flow – This is a part of point 2 but is also important as a standalone point. You need to ask yourself how the data flows/moves through your internal systems. Who moves it, what gets done and how do you record its passage through your systems. If it does change, what is being done to record this. You need to be aware of what you do with data. Does it for example get split, copied or transformed? How do you record all of this to make sure the personal data is still secure? Consider this and draw up appropriate records and policies.
- Anonymising Data – If, as I suggested, you can pseudonymise data, do you have a policy or procedure for how to do this? What if you do have to identify someone, how do you undo it? At what point do you drop the keys and while retaining the data make it anonymous or can you?
- Data transfer policy – How will data move between departments (if appropriate) and (more importantly) companies? Does data move between internal machines and people and how are people aware of the data and what to do with it? Is the data going to leave your organisation? If so, how will you send it? Where are you sending it? What are you using to send that data, for example is it being transferred by UK servers? Make sure the responsibility for the security of the data is transferred and the person receiving it is aware of their responsibilities. If you are shipping data outside the UK/EU make sure it is anonymous. If you can’t make it anonymous then think carefully about whether or not to transfer it at all. Above all of this, where are your email servers, your internal servers (and any other system for that matter) based – UK, EU, USA or somewhere else? Do you know?
- Accountability – Who is responsible for each bit of data you have? Who will see that it is controlled and dealt with properly at all levels? This can be internal but also external. For example, if you use 3rd parties (e.g. data providers), are you aware what they do? You could be responsible without knowing it.
I’ve outlined just a few of the many policies and procedures you’re going to need to consider during the GDPR process. Others will evolve, so let them come out whilst you look at the data assets you have. Next month, we will need to look at the two new cornerstones of GDPR, Consent and the right to be forgotten. Good luck.