"29-page documents" have become something of a running joke in our office as we've waded through guidance emanating from the Information Commissioner's Office (ICO), trying to wrap our heads around the General Data Protection Regulation (GDPR).
We are 335 days out from its introduction and awareness is turning into a mild panic: "When the hell is something personal data, and when is it not?" "Really, I can't legally market to someone who gave me their business card at a trade event?" "What in Solomon's name is a 'double opt-in'?"
Answers to the above and other questions will follow in the coming weeks. In the meantime, here's an update on our progress working through the 12 Steps of GDPR preparation suggested by the ICO, along with some tips that might help to save you time.
Step 1, Awareness, is all about who needs to know and as far as we were concerned that's everyone in our team. In one way or another, everyone at Solomon is a "decision maker" and someone that needs to be "aware that the law is changing" and "to appreciate the impact this is likely to have."
Rebecca, who has been blessed(?) with the responsibility for leading us through this process prepared a summary of what the GDPR is and how it's likely to affect our people, our technology, and our customers. She presented this to the team along with a flow-chart describing the 12 steps and how we will approach them.
We used Step 1 as an opportunity to check our compliance under the current Data Protection Act arrangement. We thought it would be interesting to share one of the documents Rebecca prepared, which outlines the current responsibilities of Data Controllers (if you are a BID then you almost certainly are one) with regards to their use of cloud computing services like Solomon. I'm delighted to say that Solomon passes the test. If you are reading this and you are not a Solomon customer then I hope the document will provide some talking points you can use with your current supplier to ensure you're compliant too.
Step 2, Information you hold, is fundamental. The remaining 10 steps are pretty dependant on getting this bit right. Here's what the ICO says:
We headed right over to the deep end and organised an information audit. We started this by defining some questions we wanted the audit to answer. Here's the list:
- Where is our electronic information stored and processed?
- What personally identifiable information do we hold in each of those places?
- What is the origin of that information?
- Why do we store that information - what's the business case?
- Is there a legal basis for storing that information?
- What is our responsibility for the information we hold - are we a Controller or a Processor?
- What are its "exit points" - when, how and why is it shared outside of our organisation?
- For each type of information we hold, how do we record consent from the data subject?
- How secure are each of the places where we store data - what are the risks of a breach?
- What steps are necessary to eliminate or mitigate those risks, and to identify and report breaches?
A tip from us is to start by getting your team in one room and generating a list of all the software and hardware everybody uses. Including computers, phones, external drives, cloud software tools and our own technologies, we identified 29 data stores that need auditing.
The next time we post our progress report, we will have answered all of the questions listed above. We hope to have built a comprehensive picture of what we hold and why and will be armed with what we need to define processes and policies fit for the GDRP.
If you have any questions about what we've learned please feel free to contact me directly: firstname.lastname@example.org. If you haven't done so already, please subscribe to our mailing list and we'll send future updates straight to your inbox.