The new General Data Protection Regulations (GDPR) are coming in from May 2018 and I’ve spent the last few months coming to grips with its implications for Gallowglass. If you saw my two earlier blogs on the subject, you’ll know that we started by attending forums and calling in a couple of GDPR experts, so we’d be sure we fully understood our future obligations. And then we raised some searching questions about the systems we currently have in place to manage personal data (With a workforce in excess of 600, we carry a lot of information – and not all of it essential!). Then we looked at where we are storing this data and who currently has access to it.
Going forward, our next big task is perhaps the biggest challenge: we need to roll out some staff, supplier and customer education to ensure that everyone in our communication chain understands and takes data protection seriously.
This is serious stuff: the fines are eye-watering, and the limitations that can be imposed on your business should the ICO decide you aren’t to be trusted with personal data, could be enough to cripple your business. Did you know that they can stop you processing data until they’re satisfied that you’ve got your house in order? We didn’t, until recently. Can you imagine trying to run a payroll and not being allowed to process staff data – or running an event where you can’t manage the delegate list?
Getting others to make sure they encrypt data or password protect spreadsheets and documents with Personally Identifiable Data (PID) is a significant challenge. People don’t like change and they resist having to do things differently – especially if it means having to add-in a couple of extra steps they didn’t need before.
On the plus side - one of the easy wins was getting our head office team to handle print-out of personal data in a more secure manner. Basically, this meant anyone who printed-out personal data (e.g. HR printing-out CVs and Job Application Forms; Payroll printing-out time sheets, etc) had to operate a clean desk policy. If they weren’t at their desk or the paperwork wasn’t actually needed at that time, it had to be locked away in their desks or filed securely.
Of course, when you are part of a communication chain sharing PID with other companies (whether electronically or in printed form), the whole story gets a lot messier. Bear in mind that in the event of a breach, the fines that could be imposed may be based on the Global Group Turnover of the biggest company in the chain. This means that if your client is a huge multi-national bank with a multi-billion turnover, the potential fall-out is catastrophic. Suppose that client were to share data with you, which you then pass on to someone else, who then hands it over to someone else … and a breach occurs somewhere along the line. The fine imposed could be based on the bank’s turnover and passed down the chain to all players! Oh, and by the way, those fines are imposed on the directors of a company personally. This is to prevent people from closing down their company, leaving the fine behind and starting afresh. Are you scared yet? I know I am.
So, the essential protocol when someone asks you for PID, will be to establish:
1) What it is to be used for?
2) How long is it needed for?
3) How is it going to be stored?
4) Is it going to be passed on to someone else?
5) How is it going to be destroyed once it is no longer needed?
1) Pass that information across in a secure manner (this means taking simple steps to password protect and encrypt the spreadsheet or document).
2) Record who we have passed that information to and when. This is because under GDPR, individuals have a right to have their data removed. We (and you) have to be able to show who has had access to that data, so that individuals can satisfy themselves that once it is no longer needed or relevant, their information has been destroyed.
In the light of the above, we’re now taking active steps to minimise the amount of PID we pass around. We’ve prepared a form that we’ll be asking people to complete and saving that in a secure location before we hand the data over. This is one of the reasons why we’re so keen that our clients use the client app developed by Gallowglass and launched earlier this year. The information that’s stored there is encrypted. It isn’t stored there permanently. It can only be accessed securely using an authenticated password. We’re able to record the date and time people logged-on to the app so we can show when data was last accessed.
We like to think that in the future, clients will adopt this as a much faster and simpler alternative to the way they’re currently having to ask for crew names and contact numbers.
We understand that there will be times when more information is required (e.g. addresses, driving licence details, passport number). And we’ll still be able to provide it, but unfortunately there will have to be a few more hoops to jump through before we can share that data. I am actively looking at incorporating the data request form into our client app, so that information is securely stored and logged, and the whole process becomes streamlined.