Imagine all your data in a Steel Box (Fire/Bomb Proof) – divided into three sections.
(ii) “Personal Data”
(iii) “Segmented Personal Data”
Steel Box closes and secured by an indestructible padlock
(1) Padlock = Firewall – (Best you can afford ensuring updates & patches always performed & budgeted for).
(2) Padlock Key = Password(s) – (commonly the weakest and most vulnerable link) = Secure Password(s) (Upper/Lower Case – Alpha/Numeric/Character}. Never use the same (or similar) password(s) that you use in personal circumstances, e.g., social media – should be always entirely different so if personal password(s) are ever potentially hacked it will not compromise the password(s) used in an organisation.
(3) All data encrypted (if stolen easy readable access prevented – ASCII code ‘0s’ & ‘1s’ so garbage to the perpetrator). If your budget can afford, sandboxing to reduce risks of Phishing + VirusesViruses + Spam + Malware e-mails getting through and accidentally being opened creating yet another venerability.
(4) All data backup regularly (so can be replaced if hacked) – reducing downtime and in some cases ‘could’ avoid the need to cecum to blackmail by a hacker and paying a bitcoin ransom – provided you are satisfied that all the data is secure AND encrypted with updates and patches.
(5) Data Cleansing/Deletion : Review data, (especially ‘personal data’) or a regular basis – undergo cleaning process & deletions of ‘old data’ (Record in the form of a ‘deletion certificate’ as evidence base for any checks or audit). If you have not been in contact with an individual on your database/CRM/Spreadsheet for 3 years plus why do you need to retain – delete. The exception to this is (a) data/personal data that had to be retained for a specified period for legal compliance; & (b) retention required as ‘legitimate interest’, e.g. personnel HR, financial accounting, legal documents.
(6) Data Mapping : Periodically undergo mapping of data/personal data, where stored, (on-premises/data center, and/or in the cloud). Know where ALL your ‘personal data’ is held and be prepared to show evidence of this in the event of an ICO request or a breach has occurred that you have to report to the ICO within 72 hours of that breach being known. Sounds obvious and you ‘think you know’ – what about such data in spreadsheets on old computers/laptops, memory sticks, tablets, smartphones – staff/volunteers backed up to work from home + other external sources of backups that they may use. Remember images, e.g. photos of individuals, IP/e-mail addresses plus anything that may identify an individual are also covered for which explicit consent is required. Ensure good practical policies are in place to:-
(a) Data Access : By whom and when access of ‘personal data’ can be made with restrictions as to for what legitimate purpose and then for a time-limited period to perform that legitimate action and then permission rescinded.
(b) Data Permissions – Policy as to who can access (read-only) and change (triple ‘A’ – add, alter, or amend), ‘personal data’ versus those who can interrogate or just read with logs kept of ALL such access.
Database/CRM/Spreadsheet(s) system to be integrated so that when a deletion of an individual is made it not only deletes ‘a’ entry, e.g. a name on a marketing mailing list, but as the system regenerates it will delete ALL records from the system on any and all segmented databases/ CRM’s/Spreadsheet(s) so if a request is received to remove or supress by an individual it is not only done in a timely fashion but it is also done thoroughly on ALL database/CRM’s/Spreadsheet(s) held that will likely hold that individual’s ‘personal data’ or any part thereof.
(c) Permissions cessation – Ensure that any and all access/permissions are entirely closed down for any member of staff or volunteer after authorised need to access ceases and on their last day of engagement.
(7) Explicit Consent – Ensure all ‘personal data’ retained has changed from simple opt-in ‘implicit consent’ to obtain ‘explicit consent’ for and from each individual. Be able to satisfy not yourself but individual personal data details held by being able to answer three basic questions if asked – (a) What ‘personal data’ do you hold on an individual? (b) Why are you retaining an individual’s ‘personal data’? & (c) What are you going to do with that ‘personal data’? Individuals must be satisfied that you can confidently answer not one or two of these three questions but all three to make an informed decision as to whether they are prepared to provide ‘explicit consent’ for you to retain and use. Assurances may well be required as to steps taken to secure their ‘personal data’; that it is NOT shared without the prior knowledge and approval of the individual; and ‘if’ a 3rd party is used to facilitate actions using their ‘personal data’ that they are equally compliant, albeit that as the owner of the data you are ultimately responsible irrespective. If relying on any ‘personal’ data held as a legitimate interest’, be satisfied and reasonably confident that you can qualify this if called upon by the ICO.
Note : (i) On-going practice & Reviews – Please remember the above processes ARE NOT a one-off exercise – it is a revolving practice that will need to be carried out on an on-going reasonable periodic period basis to ensure all functioning. iT Sections and Data Protection Officer’s should undergo data/CRM tests of your systems to ensure effectively working so as to strive to be as compliant as possible with GDPR, ePrivacy Regulation, (and for charities, FPS).
(ii) Responsibility – The responsibility not only lies with Boards/Trustees/Committees, iT, and DPO, but should be evolved as a cultural practice throughout amongst anyone and everyone who handles such data so that everyone has ownership of sharing and operating good practice to significantly reduce risk.
(iii) Transparency & PR – Make sure that you can as confidently as possible be able to demonstrate that you have made every reasonable attempt to secure, safeguard, protect, and maintain confidentiality of all data, especially ‘personal data’ in the event of being challenged by an individual, ICO, FPS/(FR), and be in a position to counter any potential negative media/press that may ensure in the event of a breach. This needs to be co-ordinated between all departments/projects/divisions you may have so as to be coherently consistent as possible.
(iv) Archiving Evidence of action taken and consents – Determine how you are going to document and archive evidence-based records of actions taken, explicit consents obtained, and of deletions made. Bear in mind that this will have a significant cost element over a long period for storage and (retrieval costs more), (possibly an audit might demand backdated records to be provided for compliance) – so build-in a contingency budget for such expenditure annually.