The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. - EU GDPR.ORG
In around 2011, the European Union started looking at what was happening in the world, and how places like Twitter, Facebook, and Google were collecting a lot of data about people. The legislation that had been around before that was out of date, as it was in the late ‘90s that a lot of the EU regulations came along in the first place.
So, in 2011 the EU started to come up with a more up-to-date process that reflected the way the internet was working.
One interesting fact about GDPR is that it came into force in 2016. A lot of people think it was this year (2018), but it’s been around for quite a while, so you really should have been doing GDPR for the past couple of years, but you could only really get in trouble for it from about May this year, which is when most people started really paying attention to it!
Changes You Need to Make to Comply with GDPR
There are lot of aspects of GDPR, but the key things boil down to these three points:
Check Your Processors (Suppliers)
The first step to managing your suppliers and being compliant with GDPR is to produce a list of who your suppliers are. Where do you put customer data? Who’s a supplier to your business?
Administrate is a cloud-delivered platform, so we host all our data on Amazon Web Services, so if you’re an Administrate customer, you’re giving us data which we’re storing within the Amazon cloud. When we started putting together the long list of all our suppliers, we had suppliers like Amazon, and Google as they handle our email. But then the further down the list we got, we found things like some of our Engineers like to listen to Spotify at work, so technically Spotify is also a supplier for Administrate. Even the pizza company, Dough, who bring our pizzas every Wednesday lunchtime are technically a supplier to our business as well.
After you’ve gone through your list of all your suppliers, you need to categorise them. Does this supplier touch customer data? For example, Amazon stores our customer data but the pizza company does not store our customer data, only data about Administrate itself. Once you know who is touching customer data and who isn’t, it’s essential to find out each supplier’s status:
- Are they GDPR compliant?
- Do they have good terms and conditions?
- Have you signed up to those and read through those?
- Are you confident you know where your data is going?
If you’re storing your data with Administrate, then you can be absolutely confident your data is in a good place!
Inform Your Subjects (Students)
Your subjects are the people about whom you are storing data. So they are technically called data subjects, but for a training organisation, they would be your students and your learners.
But under GDPR you are storing data about more than just your students. You’re probably storing information about your staff (as you need to know things like their bank details or their National Insurance Numbers), and there’s also a final group of people who you maybe don’t think about on a regular basis, such as job applicants who have applied for roles in the past. That’s why it’s vital that you take the time to think about all the people you are actually storing customer data on, so you don’t miss anyone.
One of the key requirements of GDPR is that you need to be upfront with these people. Tell them when you are storing data about them, how long you are going to hold it for, and the purpose you are holding it for.
Have a Process for Deleting Data
You need to know how you’re going to delete your customer data, and in order to do that, you need to know where you are storing your customer data. This could be things like a paper-based filing cabinet, a cloud-based storage system, or on your local network.
You also need to have an understanding about what it would take to delete that data, such as how you would remove it and when you would remove it. It may not be as easy as hitting the delete key!
Finally, think about exactly what you are going to remove. If you want to remove a customer from your records, you may want to delete all their personal details but not remove any invoices which you have sent them. Otherwise, it could make your own accounts quite confusing! So make sure you are clear on how much data you will delete when it comes time for removal.
Who Can Access the Data You’re Storing?
When you think about who has access to your data, you may be thinking about protecting it against the “bad guys” like hackers or the likes, but really you need to think about how you ensure the right people within your organisation have access to customer data. For example, you may not want everyone in your business to have access to your financial data, so you may prevent some employees from gaining access to this.
How do You Protect That Data Against Accidents?
How do you protect your data from things accidentally going wrong with it? Maybe this means you need to give certain people read-only access to your data (or to certain sections of data), to ensure they can still see everything they need to but they can’t edit or delete it.
For example, this could be things like an invoice. Lots of people within your company may need to see invoices for various reasons, but only your Financial team will actually need to edit the data. Making sure that everyone else only has read-only access will ensure that no numbers or data is accidentally changed, as this will alter the entire invoice amount.
How Do You Run Your Backup System?
If there is an accident with your data, you need to make sure that you’re ready to recover it. If something goes wrong, like someone deleting some data by mistake, or if there was a server error, how would you get your data back?
A lot of organisations think that they are doing backups, but do you know what you’re backing up? Are you backing up your entire system or is it only a fraction? At Administrate we backup everything! So all our customer data is recorded every single day, so everything is available within a backup in case anything does go wrong!
Next, you need to think about where you store the backups. There’s no point in storing your backup right next to where you store your data because if something happens to that location, such as a fire, all your data would be destroyed! Think about how and where your backup will be stored to make sure you will always have access to your data, even if something goes very wrong!
The final point on this, and the most important is you are not taking backups unless you are testing them! Anyone can think they are copying files from their laptop to a hard drive, or trust that their cloud provider is doing a backup, but testing your backups is a vital part of the process!
At Administrate our backups system requires that we do a test of the backup every single day, so we can always be confident that everything is working as it should.
Formulate a Process
Anything you do related to GDPR or security needs to be written down, so you can understand what your processes are. Having your processes written down ensures that everyone in your business (where relevant) can see how a process is meant to work and makes sure that all the steps are followed in the correct order, rather than people just assuming they know what to do.
It’s your job to ensure that all your employees know where to find your process, have been trained in the processes, and that they understand them and how they apply to their daily job.
To make sure everyone is following your processes, do ad-hoc reviews and see where you need to rework your processes to make sure they are adhered to at all times.
GDPR may sound confusing and scary, but the truth is the whole process can provide you with lots of strategic benefits for your training organisation.
When you’re making sure you are entirely GDPR compliant, it gives you the chance to run some audits on your business which can give you a chance to:
- Streamline processes.
- Reduce costs.
- Stop doing that don’t make sense for your business any more, such as sending handwritten letters to customers which no one ever responds to.
- Highlight areas of your business which you could automate in the future, which Administrate will be able to help you with!
Watch Our LITE 2018 Talk!
If you want to learn more about this topic, watch our ‘How to Manage Security and Compliance Within a Training Organisation’ talk from LITE 2018!