This is a summary of our GDPR journey and the most significant learning points we had with data protection. For those of you who just like to skip to the end, here’s a quick list. It is predicated on the assumption that like us, you already believe you are doing a good job in terms of both the letter and spirit of data protection.
- You are most probably already doing most of the right things!
- …however unless you have a well-documented evidence trail it means very little.
- If you do nothing else, make sure that you do the following (could take as little as 4 to 8 hours for a small business, since there is a wealth of free templates and examples out there):
- 1. Complete and document the data mapping for your business
- 2. Analyse and document the risk/sensitivity of the data you manage both internally and for your clients
- 3. Publish a summary of your Data Protection policy on your web site
- 4. Appoint a Data Controller (it’s most probably you if you are small)
- 5. Review your contract to make sure that responsibility for data is clearly defined
- There are a significant number of “grey” areas that will most probably be decided by UK case law over the next few years so don’t sweat the small stuff.
- Don’t rush to delete your marketing database or drown your prospects and clients with emails in an attempt to get everything clean!
We have created a summary document of our approach to GDPR compliance. If you are in the L&D space it may well fit with many of your requirements so please feel free to download and modify it as you wish. Link to our GDPR Summary Statement here.
At the end we will look into our very own crystal ball and give our predictions as to how these changes will affect business in both the short and longer term.
It is a commonly held myth that GDPR mostly affects large corporations and marketing companies.
The responsibility to take an active approach to the data privacy and protection of anyone with whom we do, or would like to do, business applies (rightly in our opinion) to every single organisation, no matter how small. It is true that larger organisations will most probably have a greater cash and resource investment to manage since they have so many more potential leakage points, feedback records storage and protection issues and complexity in the safety protocols for gathering data. However, I would argue that the burden on very small businesses is perhaps proportionately greater in terms of relative cost and resource required and usually without the luxury of easy and affordable access to the individual expertise in each of the areas covered by GDPR.
Our job in life is to run 360 degree feedback, engagement and other diagnostics for our clients. Which means we process a lot of corporate, personal and employee data. Those who do business with us know how carefully we protect individual data and we thought we could hold our head up with the best of them when we started our GDPR data privacy protection audit. We had a lot to learn!
Here are the major steps we took and lessons we learned along the way:
The journey starts here. The data mapping process forces you to think about all the data that you store or process in your company. A simple, shared Excel workbook allows collective input from everyone involved and ensures as holistic a view of the data as possible.
We are a small company and made the initial mistake of concentrating on client and marketing data, without giving sufficient thought to our own staff’s data, which actually is more risk sensitive than any other data we hold (more on that later).
The ICO site is very comprehensive in providing tools and documentation to help you. Be warned, although most of it appears quite straightforward we did find some it hard work to work our way through, and not particularly intuitive. Link to ICO’s page on how to document processing activities here.
The minimum requirements for recording data under GDPR are:
- Name and details of your organisation
- Purposes for processing the data
- Description of the categories of individuals and categories of personal data
- Categories of recipients of personal data
- Details of transfers to third countries (We only do this when contractually obliged)
- Retention schedules
- Description of technical and organisational security measures
However we find that in our business we like to add the following:
- Data Subjects and Observers (this is specific to our type of business)
- Document Type
- Data Type (ie. Name, relationship type, contact email etc)
- Rationale for collection (type of survey or diagnostic)
- Legal basis for processing
- Retention period (we differentiate between raw data and processed data)
There are six lawful reasons to collect data. We decided to separate this classification into two separate areas; Client Data (where we process data under Contract on behalf of our clients) and Company Data (where we gather and use data for own purposes, either to support our staff or support our marketing and development strategies)
Consent – We are very rarely in a position where we need to obtain individual consent. We will on the very few instances that we obtain individual and private data, gain consent from those people who supply data to us. This is achieved by individual agreement before starting any survey or diagnostic. However since this creates barriers to work and extra time we believe that in the vast majority of cases the Contract between ourselves and our clients constitutes the prime legal basis. Individuals are employed by our client to complete surveys, diagnostics etc as part of the contract that they have with their client.
Contract – We are contracted by our clients to obtain and process data from their employees. The responsibility to inform the employees and agree the data collection is between the client and their employees. We will provide an option, should the client (who in this instance is the data controller) wish us to inform each individual employee as to how their data will be used before they agree to continue with the data.
Legitimate Interests – We occasionally analyse and publish studies based on the data we have collected. There is no personal data included within the analysis or publication, but we feel we should declare the fact.
Consent – We have obtained individual consent from our staff or anyone on our marketing database
Contract – We have contracted with our staff the requirement to keep and maintain personal data to enable us to pay their salaries, taxes and other associated requirements.
Legal – We have a legal obligation to maintain personal data or our staff.
Legitimate Interests – We have a legitimate interest to market our products our services to those professions and industries who use them.
In the next article we will share further details on how we interpreted the other requirements of GDPR. We would be delighted to receive any feedback on your experiences with GDPR, particularly in you are in the Learning & Development sector of business!