Skip to content

Starting my journey towards GDPR

March 2, 2018

Are you all aware of the GDPR?  The GDPR is the EU’s General Data Protection Regulation which applies to all EU Member States from 25th May 2018.  That’s us!  We have to abide by it.

Well I’ve been getting started on preparing for GDPR and I thought you might be interested to read about my journey towards compliance.  My intention is to let you know what I’ve found out and what I’m doing to prepare, in case it is useful to you to follow my lead and do the same.  Or maybe you’ll simply feel a bit better to know that not everyone has their heads around it yet…

As a researcher my job is to collect and process data, so it was my expectation that GDPR would routinely affect my work and that I would be subject to some pretty specific new instructions.  As such, my professional body (the Market Research Society) was my first port of call, and I’m extremely grateful that they have provided a series of documents under the heading ‘GDPR – helping you get ready’.  They are ‘members only’.  Sorry if you’re not one as they are very helpful.

So the first tentative steps that I have taken are to read through all of these various documents and think about the likely actions that will be required.

Research (as I do it, accredited by the MRS) is an ethical business and is very much driven by consent and ethical good practice.  As such, I’m very pleased to say that – on first reading at least – it looks like GDPR won’t make any substantial difference to the way that I practice research.

First things first I shall appoint myself the Data Protection Officer.  I’m a one man band so I don’t have much choice on that one.  In my first actions as Data Protection Officer I have started up an electronic folder called ‘GDPR’ to document my actions, and I have noted my appointment as DPO in there.  I’ve also added this to my website.

OK good.

At this point, it looks to me like the main changes demanding action from me will be around:

  • Explicit consent
  • Documentation
  • Secure storage of data

Explicit consent

The definition of explicit consent has changed, and the GDPR outlines a consent standard with minimum requirements which must be achieved. This is part of a commitment to transparency of information for data subjects.

As a member of the Market Research Society I am very much used to securing explicit informed consent, so this new standard should just be a matter of semantics for me.  I’m already committed to the theory of it but I will need to slightly change the words I use in preparing appropriate ‘privacy information notices’ each time I collect data.

Hopefully!  I’ll let you know if I’m wrong, or if any challenges arise when I’m starting to use the new wording.

Documentation

Something running through and through the guidelines is that you have to document a whole bunch of stuff.  Data controller/processer, legal grounds, level of risk…  I’ve noted down about ten things so far…

So to address that I have decided to prepare a new project document detailing all the various GDPR things – which I will complete at the start of any project, then keep on file and share with my client each time.  I’m hoping that if I make a handy template, it will become routine and only add 15 minutes to the start of each job. Again, I’ll let you know if I’m wrong, or if any challenges arise when I’m doing this.

Secure storage of data

The GDPR has a couple of stipulations which refer to storage of data, these being:

  • Data Retention – Must not be kept for longer than necessary.
  • Integrity and confidentiality – Personal data should be kept secure.

I currently store my data in secure password-protected electronic files, with password-protected cloud back up using Microsoft 365. That all seems adequate.  But I will also need to limit how long I store the personal data which will mean deciding and documenting how long it is ‘necessary’ to keep data and then auditing my files and deleting old stuff to comply.

Crucially, I will also need to ensure that external places where I store or process data (for me that is Surveymonkey / Mailchimp / Cloud) comply with all this, particularly as they (may be?) located outside the EU.

In summary

Don’t get me wrong, that’s not all that has to be done.  It’s just that as a member of the MRS I do quite a lot of what is required already (i.e. obtaining explicit and tailored consent, the right to withdraw consent or be forgotten, and understanding, minimising, anonymising and pseudo-anonymising data).

So my understanding at this point is that I can still do what I did already but I have to document things differently.

Am I right?  Watch this space as I delve into this further…

 

 

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: