GDPR is coming in May and we all need to be prepared for it. When it was announced I was told like many other companies working in the IT area that this was a good money spinner. What has happened in the market is the software vendors have decided to find any point at which their product can assist and then over market it. The more I looked into how I could provide a value for money experience for my customers, I became convinced that most of the work had to be done by the customer, so let’s be honest get them to do the work in simple assignments that won’t take that long and then assist with any implementation; which is where we can add the value. When completing the assignments don’t worry about the end point of what you might have heard, encryption, USB keys etc etc. We need to do this in steps that are manageable. As one of my old managers said, you can’t eat and elephant but you can eat and elephant sandwich.
So let’s explain GDPR and set the first assignment.
GDPR is a EU initiative which we will be implementing no matter the outcome of Brexit. We as a nation have to implement it to sell into the EU market. The USA has a different standard which is why we have to store all backups within the EU borders. If we didn’t implement GDPR we would have difficulty working with Europe.
The basic principle is the privacy of citizens, which includes a right to know what data you hold on them, and the right to be forgotten if you have no rights to this data. It an extension of Data Protection laws, so if you are following those there will be a little bit of work and some documentation to complete.
The difficulty comes where we define what personal data is as the law has a very broad approach. Basically if you can identify an individual from the data then it is personal. If you have my name and email address or phone number then you are storing personal information about me, be that electronic records or paper. If you store this in your mobile phone, or your staff store this in their mobile phone then that phone is covered by GDPR.
So the first assignment you have to do is identify the data stores you have within your business, what you store and why you need it.
So here is my first pass at the data stores for our business which includes the IT and Phone sides of the business:
Atera – Ticketing system which contains names and contact details of individuals within customers who we have done work for. This is held in an online system within the UK. We need this information for billing and ensuring the quality of our work.
Zoho CRM – Our central CRM system which contains information from Atera together with our prospects information. Emails are duplicated into this system. We hold this information to manage our customers and develop our business.
Our phone servers – contact details for the end telephone points the calls made, and if requested call recordings. We hold this information for providing the service and billing.
Sage – Contains all contact details for the account department in our customers and their contact details together with invoice and credit notes. We hold this information under legislation in UK law for HMRC.
Payroll – This is held externally by our payroll provider and contains names, addresses, tax codes and income for our employees. We hold this to pay them and for HMRC requirements.
Active Directory – This is the security database which runs on our server, it contains names and encrypted passwords together with login details.
Exchange / email servers – This is held in Office 365 in the EU. (if we supplied your email service its in the EU). This contains contact details for customers and prospects together with email conversations with those individuals. We hold this information for communication with our customers.
Laptops / Desktops – These will contain a subset of all the above information stores where the information has been used or processed. This equipment is owned by the business.
Mobile phones and tablets – Will contain information from Exchange. Mobiles are owned by employees.
Websites – Contain history of who has used the contact form on the site.
Next time we will cover what data you have a right to store and information officers.