With a new reliance on digital platforms, CRM along with many organisations has been challenged with the way we safely manage data in order to do business in a Coronavirus affected world. We asked Kellie Peters, Data Rockstar and Chief Executive of Databasix to share her thoughts on GDPR during these testing times.
The Coronavirus (COVID19) has challenged businesses large and small to rethink how they work during lockdown and beyond. In order to contain and manage the spread of the virus organisations have had to process new personal data, such as travel details and health status. Or in the case of pubs and restaurants the Government has stated that they will need to collect contact details for all customers, in order to assist with test and trace efforts.
For a significant number of businesses it was imperative to digitally transform their places of work to be able to work effectively, for example introducing new:
- communication tools like Zoom and Microsoft Teams to support virtual meetings.
- cloud-based systems, such as BrightHR or BreatheHR to manage staff records.
- Training or event management tools such as Hopin, ClickMeeting and GoToMeeting.
In fact, many digital transformation projects that may have been ear marked for the future have been fast-tracked and implemented within days/weeks, rather than months! The challenge with rapidly introducing new electronic systems is that the the data protection risks have not been thoroughly considered, such as:
- What personal data are they (online tools) collecting about me and my clients?
- Do they (online tools) share or sell personal data about me and my clients to 3rd parties?
- Where in the world is the personal data stored?
The General Data Protection Regulation (GDPR) mandates that organisations consider privacy by design and by default. Don’t prioritise convenience over security.
Alongside the introduction of new technology, organisations are faced with managing a remote workforce, and with that comes the risk of personal data breaches. For example, emails being sent to the wrong recipient, exposing email addresses in the ‘cc’ box rather than using the ‘bcc’ box or inadvertently sharing documents with the wrong client.
What we are also starting to see is an increase in support requests for handling subject access requests from employees who have been furloughed, or have been given a redundancy notice. The biggest challenge being responding to these requests take longer due to the team and data being located in a wider spread of locations.
For me the most interesting aspect of the past 15 weeks is that we are seeing a number of enquiries from Operations Directors, who are responsible for GDPR compliance, approaching us about GDPR Audits. Why, well it has become apparent to them that the data protection policies, including home working, retention schedules and staff training programmes they introduced two years ago has exposed too many holes which they now realise need to be addressed.
I have pulled together a quick compliance list for individuals responsible for GDPR with their organisation to work through:
- Have your privacy policies been reviewed and amended?
- Have you provided data protection training to staff in the past 2 years?
- Is your Register of Processing Activities Current?
- Is the lawful bases for processing personal data up-to-date?
- Have you reviewed your data protection policies in the past 2 years?
- Do you have contracts, with appropriate data protection clauses, in place with all your data processors?
- Have you completed data protection impact assessments for new systems / data processing?
- Have you processes in place to manage personal data breaches?
- Have you processes in place to respond to subject access requests?
- Have you regularly reviewed your organisations retention periods?
There has never been a better time then now to reassess your data protection compliance. The GDPR, if applied correctly, can be a framework for business resilience and growth.
Blurb about Databasix UK: We’ve developed the GDPR Toolbox to give worried Data Protection Leads a set of practical tools to deal with daily data protection challenges, without adding undue burden to their workload. You can book a demo here.