In my last post I covered the principles of GDPR and what they mean in simple English. In this post I am moving on to starting to take some action to get my business ready for GDPR.
If we go back to the principles in the previous post it was clear that (among other things) we are expected to know what data we are holding and what we are going to do with it. This leads to a ‘hunt the data’ exercise a little like finding change for the parking meter. Start off looking for data in all the usual places before finding a few more places that you’d forgotten.
Step 1 – Identify the Data you currently hold
As the ICO were kind enough to define Personal Data (see previous post) all we need to do is document where we hold this in our businesses and for whom.
Some data is pretty obvious and other things might be a little more obscure. Here is a list of things (not exclusive) to get you started:
- email address
- phone numbers
- IP address
- financial information
- medical information
- date of birth
- logon details
- marital status
You also need to find all the places that you hold data that is determined to be special data which may include things like:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
As you go through your working day, think about the tasks you are doing and the information you may be ‘controlling’ or ‘processing’ (making decisions about or doing things with) and note it down as you go.
Step 2 – Where is the data
There are 2 parts to this bit of the exercise.
Part 1 – Where is the data from a systems perspective (in Mailchimp, Dropbox, on my phone etc, in a notebook or filing cabinet)
Part 2 – Where is the data physically located in the world. (I’m sure you all know where the servers for all your chosen software providers are (Mailchimp, Finance systems, Website hosting anyone?) and your physical storage locations.
It’s pretty scary when you start thinking about all the places that you store data and hoepfully you will agree that this is actually a pretty important excercise if you want to run a serious business.
Make a note of what data goes into each system and then find out where that system is based. This is really important as both the current and new regulations make it clear that data must be held to the standards of the countries of the data subjects (people!) for whom you hold data. So if you are storing data outside of the EU the company you are using must have equivilent data protection policies in place. In the US there is a special arrangement called Privacy Shield which companies can become affiliated with, making it acceptable to transfer data to them. You can find out if your providers are signed up on their website here.
For data that is held non-digitally (ie paper!) the think about where it is held. On a shelf in your home office? Filing cabinet? Locked?
If you are starting to feel overwhelmed, please don’t. Working through some steps like these will help you to get your business GDPR ready. Also, all the ‘experts’ I’ve spoken to are keen to stress that the ICO is looking to support small businesses. If we have taken reasonable measures to make sure we have complied this will be looked on favourably (much better than the ostrich approach of doing nothing). So there you go – that’s the first thing I’m doing to get compliant with GDPR.
Will you be joining me?
I’ll be back next week with Step 3 – Why have you got the data?