In our previous 2 posts we suggested some practical tips for assessing your team in the light of GDPR to help you turn the beast into something much more lovely and cuddly. In this post we finish asking key questions and hopefully help you to see your way forward.
How to Tame the GDPR Beast Part I
How to Tame the GDPR Beast Part II
Question #3 Can you show how you are keeping your data up to date and not storing it past its 'sell-by date'?
The Legal Bit
Article 5(d) states that "personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;" Keeping your data up to date is a really good way to make sure you only use the data in ways that the person would expect.
Article 5(e) states that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" In other words, don't keep it past its 'sell-by date' as the more data you store, and the longer you store it, the greater the risk of this getting out of date or being compromised in some way. Keep everything tidy and regularly cleaned, and this is a much more respectful way to treat someone's data.
The Practical Bit
Now it may be that your contact data provider keeps this data up to date for your journalists, however you should also think about how you store data on other types of contacts such as stakeholders, community leaders or politicians and also what you store. If you are in the police or NHS you may also want to think about something called 'data weeding' which is a method for quickly deleting or redacting information about members of the public (for example details of criminal activities or medical conditions) from your statements and other documents after a certain time period.
Again, assess what tools you have to keep this data up to date (third party providers, unsubscribe processes on your emails, email bounce back information) and see if there are any improvements you could make. In addition look at all the places you currently store information on contacts and make sure that you have tools for identifying when something is past its 'sell-by' date.
In PRgloo we automatically flag contacts with issues, show when records were last updated and provide tools for redacting data to help with these sorts of tasks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Question #4 Can you show how safely you are keeping your data?
The Legal Bit
Article 5(f) states that personal data must processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In other words "How are you protecting this data?"
The Practical Bit
Now most organisations really fall down with this bit. A spreadsheet on a shared drive really does not cut the mustard. Would you be happy with the names and email addresses of your family and friends simply sitting on someone's shared drive or googledocs? I wouldn't and that's the point. I'm paraphrasing here but "Do unto others' data as you would have done unto yours" is not a bad rule of thumb when it comes to navigating GDPR.
PRgloo's system is fully secure and externally audited. We're also Cyber Essentials accredited. We make it impossible to accidentally share a link to a spreadsheet or CC everyone (so that all emails are compromised) or to fall foul of any of the other fun risks surrounding data. Have a look at how easy or hard it would be to compromise the data you store on your journalists and stakeholders remembering that the more systems you use, the greater the risk of error.
Phew you reached the end!
Well done. We hope that was useful. Once you have written up the above and properly thought about your data practices, you may not be compliant, but you'll certainly be a helluvalot closer to being so. And don't forget, the ICO helpline is amazing and open 5 days a week on 0303 123 1113. We're also happy to share any of our thoughts with you too.
If you'd like to chat about any aspect of GDPR or see more of PRgloo - just give us a call and we'll be happy to help.