It has been a busy few months since we started talking and preparing for GDPR – which is why our blog posts on this subject have dried up a bit of late.
So, what have we done to prepare and what changes have we made to our day-to-day procedures?
- All Gallowglass, laptops, desktops, servers and mobiles are now running with encrypted storage.
- Our crew and client apps all store their information in encrypted databases, so any personal information is protected. Also, they were already using SSL encryption for the web pages used to access the information.
- Our websites have been updated to ensure any contact information entered is actioned in a secure manner and only retained for the minimum amount of time necessary to enable us to handle the request (be that a quote or recruitment application or simply use of our Contact Us page).
- We have conducted staff awareness training on GDPR.
- We have changed our processes for supplying crew names requests (more on this later).
- We’ve also analysed our internal database to evaluate the personal information we gather, both for employees and clients. As part of the evaluation we determine its purpose and whether it is still needed. If not, we remove it.
What we are still working on
- Reviewing all database records containing individuals’ personal information and evaluating whether we need to retain that information for contractual needs (e.g. old records of crew who have left us; former client contact information, etc). This is a huge housekeeping job as we have over 40,000 client contacts in our CRM and several thousand crew employment records that have gathered over the past 20 years! More on this further down.
- Implementation of Rights Management Services to further protect data containing personal information.
- Compliance Officer training to manage data compliance in accordance with our internal policies.
Our new way of handling requests for crew details
These days we get asked for crew details and names for a huge amount of our work.
With this in mind, and conscious of the rights of the individual to know who has access to their personal information, we have had to introduce certain new processes to ensure those rights are protected as much as possible, while simultaneously doing our best to assist and support our clients.
You “just want to know who is coming”
The first thing we would ask our clients is to think about what data you actually need, and why. If you simply want the names of the crew so you know who is going to turn up, we strongly encourage you to make use of our client app (find out more here and you can register here). This gives you up-to-date information and you can choose to be notified as and when crew are assigned to your order. Also, you will know about any last-minute changes without the headache of having to ensure you are storing and managing that information yourself in a secure, GDPR- compliant manner.
If you don’t really need the information, please don’t store it on your personal devices.
The accreditation headache
We’ve all had to deal with this at some point. Some events require the sharing of extremely sensitive data, in order to facilitate security checks.
Given the rights of the individual to know who has had access to their personal information and how it has been handled, we feel it best to ask you to provide us with some information, so we can maintain an audit trail. That way we can provide it to any individual making that request.
We’ve introduced a simple form that asks:
- What information you require
- Why the information is required and who else is going to have access to it
- How the information will be destroyed once it is no longer required and when that will be (i.e. the data retention policy).
We are working on making this a feature of our client app to make the process a bit easier for you but in the meantime our orders team will happily help you with these requests.
We would ask that whenever you have gathered personal information about our event crew in the UK and further afield, you assess whether you still really need it, and if not, to destroy that data.
Also, if you do gather crew information in the future, please do treat it with care as if it was your own personal data. The last thing any of us need is a visit from the Information Commissioners Office!
How are we dealing with all the stored personal data we hold?
As you can appreciate, over the past 20+ years we have gathered a lot of personal information (who placed an order, name and contact details of on-site contacts, crew information needed for payroll purposes, etc).
Going through this is a huge task.
We are committed to ensuring that information is stored securely, and that access is limited to only those who actually need it.
By 25 May we will have conducted a data purge of all historical client personal data (i.e. if someone hasn’t worked with us for over six years the only personal information we will retain will be their name).
Part of this will involve a mailshot to those clients who are using our app, asking them to confirm whether everyone who has registered for the app should still have access to it. We will be adding functionality to designate admin users within a team, to give those admin users the ability to block invalid app users and to on-board new team members.
Data access requests are handled at the moment by emailing firstname.lastname@example.org, although we are working on methods to allow you to check online whether we hold information about you and to request what that is. When that is ready, we will post an announcement on the blog.
This isn’t the end of the GDPR story
Rather unhelpfully, the goal posts are still moving on this. While the legislation is coming into force from 25 May, Brexit and other legal challenges could prompt further changes.
We are continually reviewing the situation and may make additional changes depending on the landscape at the time.
If you want to know more about GDPR, we’ve got a whole series to help you to get to grips with what you may need to consider: