Wednesday, June 27, 2018

Make GDPR Compliance a Little Less of a Pain in the ...

If you do business on Earth, you've probably heard of GDPR - The European Union's General Data Protection Regulation.

Like me, you may have received a fat contract you will never read with a series of places where you might fill in some information, but it's completely unclear what you actually need to do. So you ignore it until you don't have any choice but to actually fill it out.

Not sure where to start? Well, lucky for you, I was forced to deal with this. So, naturally, I figured out a process. You will absolutely have to tweak this for your own purposes, but I'll walk you through what *I* do.

[Disclaimer: I'm not a lawyer or a GDPR consultant. I'm just a guy trying to make your life easier. You are responsible for your own actions.]

Before I dig into what I do, let me give you a resource that's very helpful: The GDPR Toolkit from the Isle of Man Information Commissioner. This 17 page PDF lays out a great strategy. for managing "personal data" as defined in GDPR. And it's not as confusing as this chart looks at first. I know that sounds like a totally random resource. Thanks Google.

I won't go into all the details of GDPR compliance. I have a one inch thick book of that. But it's important to note one important thing: "Personal Data" simply means any data that might allow someone to identify a specific individual. Obviously this includes first name, last name, and email address. But it also includes IP address, mailing address, and a lot more.


My Handy-Dandy GDPR Mapping Process


Below I am going to present my entire GDPR "mapping" process. I call it that because it's very much like mapping fields in Excel or a database. Collect information here and put it there.

Basically, you need to identify the following pieces of information so that you can fill out forms and questionnaires. I find it very handy to identify this information once and then have it available for anyone who needs it.

1. Project Components. This is my brief description of the project that requires all this compliance work. I start here because I can break down each piece and determine where compliance is required. From there, I can use these pieces to document compliance throughout the rest of the document.

2. Why Personal Data is Collected
3. Whose Personal Data is Collected
4. What Personal Data is Collected
5. Legal Basis for Collecting Data
6. When Data is Obtained
7. When Data is Disclosed to Others
8. Data Retention
9. Where Data is Processed

The rest of the document (Items 2-9) are simply sections to make sure you have answers to any GDPR questions you might be asked. Note: You may have an opportunity to simply copy and paste this information, but it's more likely that the form you fill out will have specific questions and you'll need to copy and paste selected pieces as needed.

I create a Word document whose contents are below. Other than hiding the name of the client, this exactly what I have in my internal-use document.

Just so you know what's going on here, I'm collecting two types of "personal" data. One is for myself and the client representative who will be on a webinar. The other is webinar registrants. All the details of what is collected, why it's collected, when it's collected, how it's used, etc. are right here.

- - - - -

Personal Data Map for GDPR Compliance

Project: (Client Name) Books/Webinar Campaign

This document prepared by Karl W. Palachuk, President, Great Little Book Publishing Co., Inc., d.b.a. Small Biz Thoughts.


1. Project Components
 - Print/ship books for Client to distribute at conference
o No personal data required
 - Promote webinars with advertising in my newsletter
o No personal data required
 - Speak at conference
o No personal data required
 - Webinar with client representative
o Will collect personal data for webinar attendees

2. Why Personal Data is Collected
 - Webinar with client representative
o Personal Data is collected in order to provide webinar access
o Personal Data is collected for marketing purposes

3. Whose Personal Data is Collected
 - Webinar with client representative
o Personal Data is collected from the webinar hosts (employees of client and GLB)
o Personal Data is collected from those who register for the webinar

4. What Personal Data is Collected
 - For the webinar, the following Personal Data is collected:
o From webinar hosts
-- First Name
-- Last Name
-- Email Address
o From webinar registrants
-- First Name
-- Last Name
-- Email Address

5. Legal Basis for Collecting Data
 - For the webinar:
o From webinar hosts
-- Data is collected by consent
-- Consent is evidenced by the webinar registration service
o From webinar registrants
-- Data is collected by consent
-- Consent is evidenced by the webinar registration service

6. When Data is Obtained
 - For the webinar:
o From webinar hosts
-- Data is collected upon setting up the video webinar service to create the webinar
o From webinar registrants
-- Data is collected upon registration for the webinar

7. When Data is Disclosed to Others
 - For the webinar:
o From webinar hosts
-- This data is not disclosed beyond this service
o From webinar registrants
-- This data is shared with client

8. Data Retention
 - For the webinar:
o From webinar hosts
-- This data is retained for two years
o From webinar registrants
-- This data is retained for two years by GLB

9. Where Data is Processed
 - For the webinar:
o From webinar hosts
-- This data is collected by Zoom.us, a cloud-based service located inside the United States
o From webinar registrants
-- This data is collected by Zoom.us, a cloud-based service located inside the United States
-- Registration data is downloaded to an in-house computer at GLB
-- Registration data is transmitted through email to Client. The email ser-vice is a hosted Exchange service housed at Intermedia and located inside the United States.
-- Once transmitted to Client, the registration data is deleted from the in-house computer at GLB.

Note Regarding the webinar Service Used:
 - We use Zoom.us has our webinaring platform. This service is GDPR compliant and re-quires an explicit opt-in for IP addresses detected as originating in the EU.
 - For details on Zoom’s GDPR compliance, please see
https://support.zoom.us/hc/en-us/articles/360000126326-Official-Statement-EU-GDPR-Compliance

- - - - -

Three final notes. First, this is a great example of something that's not as bad as you feared. Second, there's enough work here that you should make sure you account for it in the cost of a project. And Third, this is also a great example of how a little time documenting your process will save you lots of labor down the road. File | Save As ...

Feedback welcome.

:-)

Still the best Quick-Start Guide to Managed Services: 


by Karl W. Palachuk 

Now only $39.95 at SMB Books!

Ebook or Paperback

Learn More!

No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!