Saturday, October 13, 2018

GDPR Consideration before starting a project

GDPR is a once-in-a-generation update of our data protection regulations. And it has huge implications for people managing projects that store, capture or process personal data. GDPR projects abound at the moment; you might be involved in one yourself. But beyond the setting up of GDPR principles in your business, what does data protection look like for project management? What data protection considerations do you need to take into account before a project starts?

GDPR Protect Personal Data - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
That’s quite broad, and covers things like:
  • Name
  • Address
  • Data of birth
  • Location data gathered from browser history
  • Identification number, such as a customer reference number, as long as that can be tied back to a person
  • Online identifier, like a social media user name.
Many, many projects will store, touch, capture or process personal data, because businesses have huge amounts of data about both customers and staff.
1. Who is Your Data Protection Officer?
Your company is highly likely to have a Data Protection Officer (DPO). This person will be responsible for all data protection issues within the organisation. They are your first point of call if you have a data query.
It’s good to know who they are. They become one of the subject matter experts you can then draw on during the project in case you have questions about data protection, or any of the data subject rights under GDPR.

2. What is a Data Privacy Impact Assessment?

Does your project handle personal data? If so, you’ll need to complete a Data Privacy Impact Assessment (DPIA).
A DPIA is basically a review of what personal data is being handled as part of the project. There are lots of questions to answer, and at the end you get an idea of the scope and scale of the risk.
The DPIA looks at:
  • The scope, context and purpose of the processing required
  • Whether it’s necessary to process the data
  • What compliance measures are/will be in place
  • The risks to individuals (your data subjects)
  • The measures you can take to mitigate those risks.
Your PMO should have a DPIA template, and any project that touches personal data should be required to complete it. This is something your Information Governance Manager or DPO can help with. Then you can appropriately plan the controls and actions required to move the project forward. 

Will You Transfer Data Outside the EU?

Does your project involve transferring data outside of the EU?
If so, you’ll have to pay special attention to what that requirement looks like. You may also have to face the reality that you might not be able to do it. If the company you want to transfer to does not have adequate data controls in place, you could be better off looking for an alternative solution that doesn’t require transferring data outside the EU.
This is one area where you will want to draw on the expertise of your DPO and the lawyers in your business.

4. What Does Your Privacy Notice Say?

You’ve read your company’s privacy notice, right? They probably have one for staff and one for customers.
Even if you’ve never bothered to look at it before, if you are running a project that uses or captures personal data, then it’s worth taking a look. You need to be sure that your project can meet the standards laid out in the privacy notice. For example, if there is nothing in there about contacting customers via SMS message, then you can’t contact customers via SMS message, even if your project sponsor thinks it’s a genius idea. You need to get consent to market to people via SMS, and if you don’t have it, you can’t do it.
You may also hear the privacy notice referred to as a Fair Processing Notice.

5. What is The Retention Policy for Data?

Projects create a lot of data. Whether you are setting up staff list rotas for a waste disposal plant or capturing customer data in your new app, you are collecting data. And some of it will be ‘personal’ data – information about living individuals.
You need to know how long you are expected to keep data for under you company’s data retention periods. Then you need to be able to destroy it.
For your project, this means understanding what the retention policies are, and making sure that your project complies with them. For example, it may be that you have to tag each new entry in the database with a destruction date, automatically calculated from the user sign up date. Or you may have to design a new monthly report that flags what data can be safely destroyed.
GDPR focuses on personal data, but it’s never a bad idea to include data destruction for non-personal data in your project requirements too. Then you’ll never over-retain anything and you’ll stay in compliance with wider organisational requirements.

6. What Impact Does Right to Portability Have?

GDPR confers various rights on data subjects (i.e. people) and one of those is the right to portability.
Think about your contract with your utilities firm. You pay them monthly for your water, gas or electricity. You want to move to another provider. Right to portability gives you the right to have your customer data in a way that makes it easy for you to switch providers. In this super simple example, it could be the details of your last 5 meter readings, so that your new provider can get an idea of how much electricity your household normally uses over time.
Your project needs to be sure that whatever you build can still meet someone’s right to port the data elsewhere. Factor that in your requirements so that the first time you’re asked, you can actually fulfil their needs.

7. Does Your Project Rely on Profiling?

“Let’s use Facebook to target people who want to buy our new ice cream.”
While that sounds like a great marketing tool (and who wouldn’t want to work on an ice cream project?), managers should be aware that GDPR requires you to be transparent about profiling and automatic decision making. You need to let people know what logic is used to process their data.
A more realistic example is buying insurance. If you set up your company insurance software engine to automatically decline people who trip several triggers during the buying process, then you need to make sure that’s clear to people.
The way to do this would be in the organisation’s privacy notice, so make sure that if you are introducing new automatic decision making or profiling tools (think: AI and bots) then your legal team is also updating your privacy notice.

8. Are You Using Opt In Forms?

Under GDPR, consent has to be transparent and freely given. That means no more pre-ticked consent boxes on website opt in forms. People have to actually tick the box (instead of untick it, if they don’t want the info).
Your Marketing team are probably already aware of this, but make sure that you’re following best practices for consenting people who reach your website, if your project has an online element.

9. Can You Find Data in Your New Software?

Many projects introduce new IT software and systems. When you add a new tool to your IT estate, it needs to be searchable.
That’s because under GDPR, people have the right to ask for their data. You need to be able to find it.
In the UK we’ve had Subject Access Requests for some time, so this requirement isn’t totally new. The process gives people the ability to request copies of their data. Organisations have a certain length of time to respond.
The GDPR requirement doesn’t really make this much different, although the length of time is now shorter. What is worth considering though is how good your systems were in the first place? When someone asked for copies of their records – whether that’s an employee or a customer – were you able to truly give them everything on file? GDPR forces companies to rethink the process so consider how searchable your new tools will be.
10. What’s the GDPR Risk?
If your project exposes the business to a significant risk in any of these areas, then you should escalate it. The fines for lack of compliance are huge, which should automatically make any of your project risks related to data protection become programme risks or beyond.
As well as financial penalties, there is reputational risk for companies that don’t treat customer data securely. Do you want your project to be responsible for your employer being splashed all over the news as the next big data scandal? GDPR projects around Europe will be looking at the overall implications of this risk to the organisation, but what what about specifically for your new project?
Add any risks to the corporate risk register via the correct route, and don’t simply leave them on the project risk register.

No comments:

Post a Comment