In the second advice column from Managed Networks in association with Securys, on how to comply with new data protection laws starting next May, Managed Networks’ Ben Rapp looks at the next steps: data processing and policies
Welcome to the second in our monthly series of columns to help you get a handle on GDPR and what it means for your organisation. This column assumes you’ve read last month’s and followed the steps it suggested, so if you haven’t, please read that column first.
Assess your data catalogue
Check that you don’t have any ‘special category’ data – ie, health information (including disability), ethnicity, sexual orientation or gender identity, religion or political affiliation. If you do, you need a really good reason for it, and you need to follow very specific rules in processing it, so raise a red flag if you find any. Don’t forget about employee data here.
What do you hold about consumers that goes beyond their name, address, contact details and purchase history? Examples might be: financial information; anecdotal comments in your ticketing system; background information on patrons and prospects.
What are you keeping in spreadsheets, on paper, in notes fields, in email? You’ll need to be able to find it all reliably to control it properly, so the more duplicated or unstructured data you have, the harder it’ll be.
How much old data do you have, where do you keep it and why? Can you get rid of any of it without breaking the law? A key GDPR tip is ‘do less’ wherever you can.
Think about your data processing
What do you do with the data, and what did you record as the reason why? If you couldn’t come up with a good reason for doing it, there’s a reasonable chance you shouldn’t be.
GDPR provides lots of grounds for processing without needing consent but where you have consent you need to know how you got it, what it was for, and how long it lasts. It’s particularly important to know communication someone has consented to, and what kinds of information you said they’d receive.
If you’re relying on consent, be sure that they consented to everything you’re actually doing. If you’re using one of the other grounds, like ‘legitimate interest’, you need to show that your interests are properly balanced against their right to privacy.
Sometimes you’ll be ‘profiling’ – selecting customers for mailings or special offers based on their purchase history or other data. You have to make sure customers know you do this. Importantly, if you’re getting information about customers from anywhere other than the customer themselves – like patron research – you must tell the customer individually.
Look through your data sharing list. Do you have solid contracts or agreements in each case? Are you sure you have the right to share (or receive) that information?
The GDPR requires you to have and communicate effective policies to protect data. If you don’t have any, or they’re not complete or good enough, you’ll need to write/buy some.
It also requires you to have security that’s good enough for the kind of data you hold and the sort of processing you do. So if you have special category data, or additional customer data, or just a lot of data, you’ll probably need to up your game. This can include having to encrypt data, implement better access control measures, or improve your network security.
Now you have some idea how big the problem is – or isn’t. Next month we’ll look at some common issues and what to do about them.
Can’t wait? Get in touch with us on firstname.lastname@example.org