Ready, whether or not, it is coming – GDPR : With only 26 weeks left before implementation there is much more that can (and should be) done by Authors and Publishers, not least mapping what ‘personal’ data you have. This can mean anything from actual names to associated data that can identify an individual. In over simplistic terms think three things that you should be able to answer if an individual or ICO were to ask you – (1) What personal data have you got on each individual? (2) Why have you got it? (3) What are you going to do with it? Authors need to tick all three boxes not just one or two and not be hesitant to an individual if they ask otherwise you will be subject to an Enforcement which would certainly be both financially and reputationally damaging – even business breaking!
Look at personal data held, where, and unless you can BOTH justify why you are holding it AND show that you have ‘explicit’, NOT ‘implicit’ consent for each individual then it should be obtained or deleted. If you hold old databases or personal data on CRMs with people you have not been in contact with for the past 3-10+ why do you need to retain – delete. This includes on old desktops, laptops, memory sticks, smartphones/mobiles, backup drives, (and for larger groups servers/data centres), index cards, mailing lists, groups of personal contact details online. Everything should be ‘evidence based’ to justify so in the case of deleting, ‘deletion certificates’ should be produced to show what and when you done. All of this together with the ‘explicit’ consents, (not ‘implicit’ – just tick boxes on the website), should be gathered, chroniclise for audit, and archived in the event of any future challenge.
Encrypt all personal data, beit on a database/CRM, or even an address book on your laptops and mobile device to reduce risk of any loss (as and when hacked), misused – remember you are responsible, even if you use 3rd parties to do tasks for you and they lose, you still are the owner of that personal data, and you will be the one heavily penalised. Equally regularly back up data, (particularly all ‘personal; data’) so as and when hacked you can restore and continue operating.
What is personal data?
Personal data is any record which can be used to identify a living individual – this can include e-mail address, job title/organisation, IP address, address, phone number, etc. and includes sensitive personal data such as health, religious beliefs, sexual orientation, criminal records, finance/credit card records, etc. In essence anything that can aid the identity of an individual. This is not just limited to lists, spreadsheets or databases but includes documentation such as minutes and CVs where an individual is identifiable.
What is data minimisation?
Data minimisation is about collecting and keeping the minimum amount of personal data to enable you to carry out your work. To give what may seem an extreme example, HR may need to keep CVs to demonstrate individuals have certain qualifications, (= ‘legitimate interest’), but they are unlikely to need to keep personal profiles contained in the CV beyond the selection process. This means that HR would be required to redact all personal statements from the CVs held. GDPR requirements really are that granular!
As with current Data Protection legislation, DO NOT share with trusted 3rd Parties until, and unless you have made it clear to individuals that you will be doing this, and then only after they have given their ‘explicit’ consent to do so. Carefully check the GDPR policies of any agencies used when it comes into force but clearly understanding that the data/personal data is owned, used, and belongs to you, so you are ultimately responsible in the event of any breach.
Do I need to start redacting personal data from documentation?
Yes, as soon as you do a mapping exercise above and then followed by a cleansing exercise, record your actions to show evidence that you have acted in compliance in the form of a ‘destruction certificate’. All records of action should be archived indefinitely at this stage in case of any future queries or issues. It should be remembered that this is not a ‘one-off’ exercise but an on-going revolving exercise year-in/year-out in future and should be checked as often as practicable.
Start thinking and planning tomorrow and do this in bite-size steps between now and next May. We are not in a perfect world so things will go wrong for all sectors and industries, but as Authors you will set the bar and be able to demonstrate that reasonable actions were taken – it is those who are found wanting and taken little action who will be penalised the heaviest.
So please, DO NOT panic!! On the start date of GDPR on 25th May 2018 mountains will not explode! Men in black costs will not be knocking on Authors door to demands sight of your records! This is about good policies, processes and generally good housekeeping plus complying with the thrust of GDPR, the safety and security of everyone’s personal ID held, as you would want, and expect of your own personal data by others.
Biography: Gordon Owen is a hybrid Authorpreneur & e/i-print book publisher at iGO eBooks® in the niche genre of voluntary sector fundraising, governance, organisational and e/iPublishing matters with 31 e/i-print Books in the 4 genre material series providing a guide and reference to techniques, things to consider, and contacts with url links enveloping a coalesce for new, small, and emerging groups / organisations in the voluntary/third sector seeking to improve their engagement with potential funders in the statutory, corporate, and charitable trusts/foundations sectors. Gordon has spent the past two years reading, presenting, including directly with the ICO to organisations and training on GDPR to better understand processes and give good guidance.