So you just received yet another email from someone telling you ‘everything you need to know about the effects of GDPR’. You click on it, hoping that this time it will actually give you some guidance about what you can and should be doing. But oh no – it’s yet another person/company who has done a cut and paste job and that hard to decipher legalese is all still there on every single one of the 30 pages or more.
Having spent considerable amounts of time recently working through the 99 articles and 173 Recitals that make up the Letter of the Law, I can tell you it is a tricky old bit of legislation to get your head around. But it isn’t impossible.
Firstly, if this is the first you have heard of the GDPR then you are a little slow on the uptake. We’ve known it has been coming since 25th January 2012, with formal adoption starting early last year – so we’ve had a year of the two year transition period already. You’ll hear some people say that full details around the legislation are not clear – but that’s not true. The majority of it is set and it is just the greyer areas where more guidance is required that are being ironed out. So you can’t really use that as an excuse not to get a grip on it now either.
So what do you need to do? Don’t panic. Event companies are unlikely to hold Sensitive Data as defined in the Regulation. Nor are you likely to have lots of Data Subjects wanting to utilise the Data Portability option, or Subject Access Requests for that matter.
My suggestion for your first step towards GDPR compliance is to appoint someone to take ownership of the task. They are going to have to take a few things out of that notorious Too Hard box, so they need to be someone who is dogged in the face of obstruction and obfuscation. They need to have the ear and support of a member of the senior management team. And they need the discovery skills of Sherlock Holmes.
As soon as possible they need to make a list. And if your event company is anything like some of the ones I have worked with over the years, it is likely to become a very long one. Because this list is going to have to cover Every. Single. Database. Yes, every spreadsheet, .csv file, filemaker, Salesforce file on every laptop, computer and server that contains personally identifiable data. They need to know:
- Where it is stored
- What data it contains (i.e. fields)
- How many records
- When it was created
- When it was last used
- What is it used for
It’s not a pretty job. But this is your starting point. Until you know how much data you have, who has access to it, where it is kept and how much use it is, you will have absolutely no idea what solution you need and how much time it is going to take to become GDPR compliant.