There is just too much stuff to read on GDPR. There is just too little that is practical. As a deadline looms (‘Are you GDPR-ready?’ becomes the question) practical is what it takes.
And so, I want to write a bit about the practical activities we are up to back at Phase 3 base on GDPR and our data.
We feel confident in our work on the readiness for the regulations becoming effective on 25 May 2018. But we feel fortunate because control of data and technology is something core to our small business. This may not be the situation you are in. Nor does ‘doing data’ necessarily come naturally to the typically self-styled people-person of HR.
I would like to see here on Insights the full Phase 3 story of GDPR once we are entirely through, as the more that we can do to dispel myth and legend, divert dangers and do the right thing by our data the better.
As Managing Director, I’m not too close to the detail of each activity, approving iterations and outcomes only, but I know that here are a few of the things we have afoot on GDPR. I put these to you because I want to do a translation exercise – just as we do on HR Tech – to make meaningful that which risks a too-detailed descent into doing. Precisely. Not enough.
Getting Desperately Practical Right-now Phase 3 are:
- Examining precisely what customer, contact and personal employee data we hold where and with what access.
- Scrutinising policies and contracts for compliance and whether up-to-date, with named owners.
- Briefing afresh those with key roles on the data; giving clearly-written guidance to our employees about the practical things they need to be mindful of in their handling of data each day at work (and work at home time too!)
- Requesting active consent to personal data that we hold about our team. Note that social media is one area proving particularly hard to think about how we wish to ‘control’
- Visiting each office and looking at security, armed with audit checklists. It is simple stuff: the locking of cupboards, the screen-savers, the paperwork on desks
- Noting a device inventory. We do on occasion use a ‘bring your own device’ policy and so sharing the guidance needed where this happens.
- Phase 3 are asking our suppliers and third-party contracts about their own compliance. The onus is on us to do that.
- Drafting privacy statements to publish on our website, with matching privacy information to issue internally.
- Capturing a flow-chart about what we would do if there were to be a data breach reported in to our named officers.
- Asking line managers to create email filing systems that allow for separating communication that is about employees’ personal stuff from the business talk.
- Tackling the difficult exceptions…. (Assad, those are you and I, you know!)
- Oh, and phones. Phones get everywhere and we need to work out how to give guidance that is safe, but achievable to comply with.
GDPR is one to be taken seriously. But taking something seriously means translating into practical action.