The new EU General Data Protection Regulation (GDPR) includes some dramatic changes on how companies manage, process and delete data. It's no longer just about finding data and making sure it's secure. It’s about capturing the context of data and being able to prove everything's being done to protect the subject's data and the rights of the subject themselves.
In Part 3 of our GDPR series, Kate Armitage provides a simple and pragmatic guide to help you to get started.
Step 1: Understanding the data you have
What is "personal data", exactly?
The world of data collection has changed dramatically over recent years. We can collect and process huge amounts of data at the click of a button. This also means we're constantly on the brink of making a mistake. GDPR gives organisations an opportunity to get their data protection policies into shape.
This starts with knowing exactly what data you have. Under GDPR, whatever information you hold that can be used to personally identify an individual (or individuals) must be managed and controlled.
This includes data you keep on employees, customers, journalists and any other third-party contacts, and can include (but isn't limited to) their:
- Name, address and unique identifying numbers
- Demographics – such as age, gender, income or sexual preference
- Behavioural data – web searches, purchase history, website cookies and more
- Social data – who your friends are, your emails etc.
- Sensor data – biometrics, health tracking devices
- User-generated content – videos, photos, blogs or comments.
Step 2: Understanding how to collect and process that data
Consent is one of the fundamental aspects of GDPR. One of the key changes is that you can no longer assume that keeping someone's personal information is OK until they opt out. Instead, you need to ask that person for permission to keep their data.
You'll need to:
- Have a record for each contact, specifying what information they've requested and how
- Make sure your policies are clear and up-to-date
- Identify, assess and manage the potential risk associated with collecting, processing and managing the data
- Respect that your contacts have a "right to be forgotten" and the right to ask for a record of their information at any time
Step 3: Understanding who's responsible for managing the data
You then need to work out what your different stakeholders are responsible for doing. Back in Part 2 of our GDPR series, we explain how to prepare your employees for GDPR, and provide a simple guide to keeping them engaged.
What you should do now
Part 4 of our GDPR series directs you to 10 essential resources on the new regulation.