GDPR Action Plan Part 1Understanding the personal data you process
In this article, we’ll look at:
- How to understand what constitutes personal data
- How to confidently audit your business for personal data
- Some further resources
The first stage in anyone’s GDPR compliance plan should be to understand what personal data your business is collecting. Only then can you establish whether your collection, storage and processing of that data is legitimate.
In this article, we’ll step through a suggested process for understanding and auditing your personal data.
If you’re short on time, you can skip to the section you’re interested in:
What is personal data?
Short answer: virtually anything that allows you to identify – directly or indirectly – an individual person. And it doesn’t matter if the information is in electronic format or on paper, the GDPR still applies.
Some examples of personal data are obvious – customer names, email addresses, phone numbers – whether they are stored electronically (on a spreadsheet or database) or manually in paper files.
These are going to crop up all over the place:
- Customer lists;
- Mailing lists;
- Customer surveys (or at least non-anonymous ones)
- Order books;
- And so on.
Other examples are less obvious, because the regulations refer to ‘identified and identifiable persons’ – so even if you don’t collect things like name and address, if I could use the data to identify you, even indirectly, it falls into the category of personal data. Such as:
- A customer ID;
- A photograph;
- Combinations of non-specific data (such as age, gender and postcode) which, when considered together, potentially allow you to identify a person;
- Technical data such as IP address (although we’ll come back to this again later).
Once you’ve established that you are collecting personal data (and you probably are), then you can be pretty confident that you are subject to the GDPR, and therefore need to read on.
Auditing your existing data
1. Identify the circumstances in which you collect data
Quite genuinely, a pack of Post-Its and a wall can really help here – because you can just note things down as you think of them, and then rearrange, group together and de-duplicate later.
The objective of the exercise is simply to start to track all of the existing collections of data that you are holding in your business. At this stage, don’t think about the individual bits of data that you’ve got, rather think about all of the different ways that you collect data about your customers, employees, partners, suppliers etc.
Some examples of what we mean:
- Information submitted by customers via your company website – contact forms, online purchases, online chat etc
- Details that you take from customers when they place an order over the phone
- Employee information that you collect when people start to work for you
- Contact information you record when you take on a new supplier
- Details submitted when people sign up to your mailing list
- Details from business cards that you collect at trade fairs
Hopefully you’ll see the point here – if you can identify the circumstances in which you collect data, you can then move on to drill down into what data you collect, and how you use it (that comes in Part 2).
So, whip out your fresh new pack of Post-Its, and start jotting down all the circumstances in which you collect data that relates to individuals. If you’re not sure about one, write it down anyway, and review later – just don’t lose that thought!
2. Confirm that this is ‘personal data’
This is where it’s worth doing a quick sanity check that we are really talking about ‘personal data’ in GDPR terms. Remember, the GDPR defines personal data as any information relating to an identified or identifiable natural person.
So, if any part of the data you collect identifies a person, or would be capable of identifying a person if it was used in combination with other information, then you are best to assume that this is personal data.
Frankly, it’s a bit difficult to think of too much data that wouldn’t qualify as ‘personal’ but here’s a couple that we came up with:
- Information relating solely to a company or other organisation – because a company is not a natural person. But contact information is still personal data, even if it refers to somebody’s work phone number or work email address;
- Completely anonymous data – if you collect feedback forms in your restaurant, and the information is completely anonymous, this is probably not personal data, assuming that you can submit that information anonymously. But be careful – if you ask people to submit feedback online, you might be tracking information about them (such as their IP address) that you don’t realise.
3. Create a Personal Data Log
This is the time to crack out Microsoft Excel (or whatever your personal spreadsheet software of choice is), and start to create a Personal Data Log for your business.
The objective of the Personal Data Log is to provide an ongoing record of the data that you collect – not only will this be a useful reference for you, it also represents an important part of your overall compliance process because it can be used to demonstrate your compliance efforts.
The log is going to start simple, with just a column that lists all of the personal data inputs that you have identified in your post-it exercise above. As we progress, you will add more columns to this spreadsheet – the end result will be one centralised record of your personal data types, along with details of who has access to the data, how long the retention period is, what your legal basis for each data type is and so on.
This should be a living document – as things change within your business, you update this log. The image below shows an example log – you can ignore Column B onwards for now, we will be completing these next.
You can download this sample Personal Data Log as a starting point if you wish.
It goes without saying that this PDL needs to be as comprehensive as you can possibly make it because we recommend using it as a starting point for your entire compliance effort. If you miss a source of data at this stage, then the chances are you will continue to overlook that data in the future.
Sole traders and one-man-bands should take time to reflect on this Personal Data Log to ensure that they can see the wood for the trees, and they’re not missing anything. Larger businesses should ensure that they consult with staff across the organisation, and sanity check the information carefully.
4. Getting specific about the data
Having identified the various circumstances in which you collect potentially personal data, it’s now time to start getting specific about the actual categories of data that you collect. For many businesses, this will be relatively straightforward (it might just be name and email address in many cases) – but for others, it will get more complex.
The purpose of identifying these categories of data is fourfold:
- To confirm that you have a real grip on the exact data that your business is asking people for
- To check whether any of the data you collect relates to children under the age of 16, for which there are additional requirements in relation to parental consent
- To check whether any of the data you collect falls into a range of Special Categories defined by the GDPR, for which there are additional regulations and constraints
If you’re using our sample Personal Data Log, then now’s the time to complete Columns C, D & E.
The GDPR specifically mentions a number of types of data that it considers to be Special Categories of data. In general terms, the regulation prohibits the processing of such data unless the person to whom the data applies has given explicit consent for one or more specified purposes.
This effectively means that consent is the ONLY lawful basis for collecting such data – and the implication is that the consent must gained be very carefully and specifically.
The GDPR Special Categories of data are:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trades Union membership
- Genetic or biometric data
- Health or data concerning a person’s sex life or sexual orientation
If your Personal Data Log reveals that you are collecting data falling into any of the Special Categories, then your consent processes will need to be watertight.