Hopefully by now everyone will know that next year we will all be facing a once in a generation change to our data protection law. Come 25th May 2018 the General Data Protection Regulations (GDPR) come in to force and while that still seems a while away there’s a lot to do and it will be here before you know it.
I believe it is also a mistake to see the only person that this affects is the poor soul within the organisation who was unlucky enough to be given the title of “data protection officer” as an add on to their already busy day job because, “it [very tenuously] links to what you already do”; or, “there won’t be much extra work and it’ll look good on your cv” (they won’t fall for that again now GDPR is looming); or, because frankly no one else wanted to do it and they drew the short straw. Getting compliant with the GDPR regs is going to be a big job for all organisations and requires some thought now and understanding from the top.
GDPR affects all functions of the organisation which could involve processing of personal data. This includes:
- Client / Customer Information
- Supplier Information
- Information on Staff, Directors, Board Members, Interns, Apprentices, Volunteers, Student Placements….
- Information on Donors
- Information on people who make complaints
If individual teams are just left to their own devices to get compliant or if one discrete team which has no real detailed knowledge of the data held by others is expected to manage this then this will lead to extra work and a disjoined approach.
So, I still haven’t highlighted why I LOVE GDPR.
Now I can’t believe that I am unique in that when I open “File Explorer” on my computer I look at the numerous electronic folders in my directory and my heart sinks a little bit that still no one has had the time or focus to clear them out - to delete stuff that we don’t use and to put everything else into a more sensible structure. It’s only natural that filing systems evolve over time and as such they grow and become unwieldy beasts. You start with the best of intentions, thinking about how you want to file everything and with the optimism that you’ll never go back to old filing habits, but then you get busy, and you get sloppy, and different people join and don’t follow your initial intentions and before you know it it’s grown and it’s out of control and every time you go to find something your filing system is growling at you from behind your computer screen.
Also, most HR people I know are natural hoarders. We live in fear of not keeping something which could possibly, one day, maybe, probably not but just in case, be useful, or needed in a tribunal, or to show the thought process behind something. Whilst I don’t deny that every now and again, when the stars are aligned and Jupiter is ascending this is the case, but is it really worth it? Actually changing mind set and thinking how bad would it really be if I didn’t have that info is quite liberating.
GDPR will also force us all to write down where we store data, why we store it, who on and when we clear it out. This will mean that in future when clearing out our files we don’t need to sit there and try to remember why we do what we do; when we should delete things. It also means that we can give this info to new starters in our teams and refer to it ourselves when needed. It means that if we were to get a subject access request we know exactly where we hold personal data. It will add value to our day to day work.
For me GDPR is pushing forward the jobs and decisions that are always being de-prioritised as there something more important to do. Not just cleaning out files, but things like sorting out permissions on systems to make sure that the right people have access to the right things, and really actively considering the option of going paperless in all files – something we’ve be thinking of for years but never had the time to consider the implications of in full.
You can’t get away from the fact that there will be a lot of work involved, but from an organisational perspective, I have the following tips:
- Don’t just send out details of GDPR to everyone and rely on them to make sure their bit of the organisation is OK – there will always be cross over and your organisation should process its data in a consistent way.
- Make sure that senior staff feel responsible for making the organisation compliant with GDPR.Without this people won’t see the importance and won’t give this the time and attention needed.
- See compliance with GDPR as an organisational project.As such you should have a project manager, for whom in my view and perhaps controversially, it is far more important that they have excellent project management skills than extensive data protection knowledge.
- Have champions who are responsible for ensuring that the GDPR project plan is worked through in different functions and who feed in progress to the project manager.
- Identify early what you areas of key risk as an organisation are – where you hold the most personal data, where you know your systems aren’t quite up to scratch.
- Audit, audit, audit…I have found that the absolute starting point for my teams is to conduct an audit of:
- Where we hold data – electronic files, paper files, databases and systems
- What data we hold in each of those places
- Where this is duplicated?
- Why we hold that data – what is the legal basis?
Without a clear understanding of these you can’t even start to get your ship in order. And by doing this everything else that follows will be easier and more organised.
So why am I writing this blog? Particularly as I haven’t really given any specific information about GDPR or how to comply…well I’m not an expert in GDPR, I’m an HR Director. I assure you that there are plenty of places you can get advice on GDPR for your organisations and if you just google GDPR someone (an expert) will be running a free or low cost seminar on it.
I’m writing this blog to enthuse you, to bring GDPR to the top of your agenda, to urge you to make sure that your whole organisation is all over this, to make sure that you don’t underestimate the work involved but more importantly the benefits of GDPR. I have a concern that people aren’t feeling the love for GDPR that I do. Ultimately it’s not going away and it will make us all better organisations. Embrace it, see it as a project with a clear deadline and outcomes (a rarity these days) and soon you’ll get the bit between your teeth and work to push this through. Then, you too will feel the love for GDPR I’m sure.