Ready, whether or not, it is coming - GDPR : With only 26 weeks left before implementation there is much more that can (and should be) done by Authors and Publishers, not least mapping what ‘personal’ data you have. This can mean anything from actual names to associated data that can identify an individual. In over simplistic terms think three things that you should be able to answer if an individual or ICO were to ask you – (1) What personal data have you got on each individual?; (2) why have you got it?; (3) What are you going to do with it? Authors need to tick all three boxes not just one or two and not be hesitant to an individual if they ask otherwise you will be subject to an Enforcement which would certainly be both financially and reputationally damaging – even business breaking!
Look at personal data held, where, and unless you can BOTH justify why you are holding it AND show that you have ‘explicit’, NOT ‘implicit’ consent for each individual then it should be deleted. If you hold old databases or personal data on CRMs with people you have not been in contact with for the past 3-10+ why do you need to retain – delete. This includes on old desktops, laptops, memory sticks, smartphones/mobiles, backup drives, (and for larger groups servers/data centres). Everything should be ‘evidence based’ to justify so in the case of deleting, ‘deletion certificates’ should be produced to show what and when you done. All of this together with the explicit consents, (not just tick boxes on the website), should be gather, chroniclise for audit, and archived in the event of any future challenge.
Encrypt all personal data, beit on a database, or even an address book on your laptops, or mobile device to reduce risk of any loss being hacked and misused – remember you are responsible, even if you use 3rd parties to do tasks for you and they lose, you still are the owner of that personal data, and you will be the one heavily penalised. Equally regularly back up data so as and when hacked you can restore and continue operating.
So please, DO NOT panic!! On the start date of GDPR on 25th May 2018 mountains will not explode! Men in black costs will not be knocking on Authros door! This is about what the original article above says and the safety of everyone’s personal ID. To recap:-
What is personal data?
Personal data is any record which can be used to identify a living individual – this can include e-mail address, job title/organisation, IP address, address, phone number, etc. and includes sensitive personal data such as health, religious beliefs, sexual orientation, criminal records, etc. This is not just limited to lists, spreadsheets or databases but includes documentation such as minutes and CVs where an individual is identifiable.
What is data minimisation?
Data minimisation is about collecting and keeping the minimum amount of personal data to enable you to carry out your work. To give what may seem an extreme example, HR may need to keep CVs to demonstrate individuals have certain qualifications but they are unlikely to need to keep personal profiles contained in the CV beyond the selection process. This means that HR would be required to redact all personal statements from the CVs held. GDPR requirements really are that granular!
Do I need to start redacting personal data from documentation?
Yes, as soon as you do a mapping exercise above and then followed by a cleansing excise and record your actions to show evidence that you have acted in compliance.
Start thinking and planning tomorrow and do this in bite-size steps between now and next May. We are not in a perfect world so things will go wrong for all sectors and industries, but as Authors you will set the bar and be able to demonstrate that reasonable actions were taken – it is those who are found wanting and taken little action who will be penalised the heaviest.
Gordon Owen
Biography: Spent past two years reading, presenting, including directly with the ICO to organisations and training on GDPR to better understand processes and give good guidance.
