Why GDPR is like clearing out the ‘man drawer’?
GDPR guide for SMEs in Jersey. By Caroline Dutot
If you have ever seen Michael McIntyre’s sketch on the ‘man drawer’ you will know it is that drawer/box/space in every household where items of complete randomness are kept – just in case we should need them. As Michael McIntyre puts it, the ‘man drawer’ is the place where we keep batteries of indeterminate life, instructions for appliances we no longer own and keys from homes we no longer live in.
Targeting your sensitive and personal data in response to GDPR is a lot like clearing out and organising the ‘man drawer’. It is no longer about putting items in the drawer just in case but about thinking about why they are in there in the first place, whether they are ours to keep and what purpose they legitimately serve for us. Then if we are going to keep the items – how long to do we need them for and where should we put them to keep them safe.
A lot of the information out there about GDPR is focussed on telling businesses and organisations that they need to comply with the new data protection requirements by 25 May 2018, or they risk a large fine. Yet there is very little practical information to help small to medium businesses, in particular, achieve compliance. The concept of ‘data mapping’ is being widely talked about but how exactly do you map your own data? Once you have mapped your data, what do you then focus on?
The key following data mapping is to re-assess your existing documents, contracts and arrangements to align them with the outcomes of your data mapping exercise. It is not a case of updating one internal policy but looking at several areas, namely:
- Privacy Notices: This is what you say to your stakeholders/clients/customers about the information that you hold on them, why, who it is shared with, how it is stored and how they can access it or have it deleted.
- Consent notices: If you are relying on a person’s consent to process their data then you need to ensure your consent notices are clear, unambiguous and require the person’s positive opt-in (not a pre-ticked box). This includes gaining consent to send out marketing material or regular updates/newsletters.
- Third Party Arrangement/Contracts: If you share data with others then you need to clearly set out in writing who is the controller and who is the processor in those arrangements and the responsibilities each has.
- External Data Protection Policies: If not covered elsewhere, information about how a person can make a subject access request, have their information deleted/modified or make a complaint.
- Staff Handbook/Internal Data Protection Policies: These are your internal policies explaining to your staff what the process is should a breach happen and how to respond to a subject access request.
- Data Protection Officer: This can be an internal or outsourced role but is a required role if you are a public authority or processing special categories of data such as health documentation, criminal convictions or information about children on a large scale.
For practical assistance on how to map your data and how to take the next steps to become GDPR compliant.
For assistance on updating your privacy/consent notices, contracts and policies to become GDPR complaint contact Advocate Caroline Dutot on 01534 481809 or at firstname.lastname@example.org