Talking about what? Well, GDPR – the General Data Protection Regulation – of course. As expected, since the turn of the year it has become the hot topic at seminars and is spawning a platoon of experts. Most businesses were aware of its imminent arrival (on 25th May) but consciously chose to take no direct action until 2018. That’s okay for many: five months is enough time to get their GDPR ducks in a row. Not so for Code String.
We took a more pragmatic view of this early on and acted. We’re up to date with the legislation, have learnt what it takes to be fully compliant, and are continually looking at additional measures we can implement. Why? Because it’s not just about us. It’s about our clients too. Adding an extra layer of security to the way we store and manage our clients’ data takes us well beyond the remit of GDPR – but that’s great for everybody. As a data processor, it means that our current and future clients (the data controllers) can see that we comply with the high standards they should expect.
A big responsibility comes with securing a client’s data anyway. We already had ISO27001:2013 in place to put us ahead of that game. But we have since added critical elements of GDPR compliance with Accountability, Privacy by Design, Information Held, Data Subject Access, Data Breach and Data Information policies. These are comprehensive but necessary measures that serve to inform and direct our team and our clients’ teams.
Here’s an example. We manage promotional competitions for several clients. All demand that we process, manage and store data about our clients’ customers.
GDPR Article 5 mandates that personal data ‘be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed’. In line with this, one policy already in place states that Code String will retain customer data for 190 days following a promotion. Seems pretty clear to us. We can extend that term but will anonymise that data by taking out all the personal details.
GDPR is being called a ‘game changer’, though the Information Commissioner’s Office states that very little is new. But it will be for some: for instance, public authorities have a reduced scope for relying on consent or legitimate interest as their lawful basis for data processing. But for us and our clients, the directives don’t seem unreasonable. Much of it is unchanged from the 1998 Data Protection Act that we already operate under. Documenting what information is required for each project, detailing the individuals who have access to that data, and adhering to policies that define what happens to that data over time is something we’ve always done. It’s sound business practice.