GDPR – perfectly reasonable intentions, don’t get distracted by the detail

Published on: 20/03/2018

Firstly, like all legislation, GDPR is full of holes, grey areas, difficult interpretations and even some “flights of fancy”!  However, behind the regulation is the perfectly reasonable intention of ensuring that you know what you have, where it is and that you ARE in control of it.

 General Data Protection Regulation

Think about these basic questions and you’ll have the bulk of it addressed;

  1. Do I know where personal data is?” - doesn’t sound unreasonable! Basically the EU wants you to be in control and to be stored in a country that obeys their rules.  The UK does and MOST non-EU countries do NOT.
  2. Am I in control of personal data?” – for example, is it secure, can I delete a persons information from my database (including paper copies) – and be happy that is “gone”. In the case of your website, if you delete a contact from your admin system – it goes into the website recycle bin. Remove it from there and it is “destroyed”. Remember that we back-up your data – so it won’t actually be completely removed until all backups are deleted – which is a 14 day recycle period.
  3. Can I demonstrate that it has been deleted?” – not when it has actually been deleted! other than by the acceptance of this policy and also, not being able to find it again!

Let’s look at the first question “where is your data is stored”.  For example, people who use “The Cloud” probably don’t know where their data is!  For example;

  1. Your email
  2. Social Media
  3. Your Sales Database
  4. Online Sales data / bank and financial details!

The biggest one of these is your email.  Think about the way you use email to tell other people in your organisation about staff / HR related issues, financials, strategic marketing decisions etc.  If you are using Office 365, Gmail, “cloud” hosted email etc..  where does that email (data) actually go?

What does that matter?  Because, you must not permit the personal data you control, to go outside the EU (unless it is to approved countries - Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man, Argentina, Canada, Israel, the United States, New Zealand and Uruguay.  Some of these countries – including Canada and the US are only “partial”!