H ere are some of the questions we hear most often and the answers as we understand them. If you've got a question of your own add it in the comments at the bottom of the page and we, or another reader, will answer it if we can.
The only source of information that's guaranteed to be correct at the moment is the final draft of the regulation itself, which can be found here. The first part of that document is actually mostly fairly easy to read, but it isn't written as a guide on how to implement the law.
Everything else you read regarding the GDPR is just someone's interpretation of a law that is yet to be tested in the courts, so approach with caution. That certainly includes the content on this site, and even applies to what's written on the ICO site, but, as the ICO will be enforcing the law their understanding of it will be important to businesses in the UK.
As a rule of thumb, this is the order of trust:
- The actual wording of the General Data Protection Regulation
- The Information Commissioner's Office's GDPR guidance
- Content written by people who aren't trying to sell you something
There's no simple answer to this question, it very much depends on what is meant by moving to the cloud. Cloud services like Microsoft Azure are certified as being able to form part of a GDPR compliant IT infrastructure and that may be a very appealing route for organisations when compared with trying to harden existing on-premises servers. However, an inherently insecure software system, for example one that doesn't require a user to login, or that allows weak passwords is just as insecure when moved to the cloud and is now even more dangerous as it is exposed to the whole of the web rather than just the users on your network.
That being said, redeveloping systems to be cloud based inherently involves considering the security of the data in great detail and that is exactly the same thinking that is needed to reduce the changes of data breaches, so redeveloping old legacy applications as cloud-based systems can be a very effective way to bring them up to scratch for the GDPR.
Yes, a backup tape or other backup media will potentially contain a lot of individuals' personal data that would fall under the GDPR. The deeper question is what a business can sensibly do about that, as there is no way to expunge a single individual from a backup file should a person request to be removed from your organisation's records, or if you no longer have a reason to retain their data.
We expect that the GDPR will be enforced practically here and that rather than having to devise ways to search through backups, the expectation will be that you keep your backup media securely either under lock and key if it's a physical medium (such as a tape) or in a secure location that only the appropriate staff have access to if it is a digital backup. In either case, we imagine the requirement will be to keep a detailed log of any times that staff members interact with those backups.
Despite what software vendors may be keen to tell you, there isn't really any such thing as 'GDPR compliant software', instead software can form part of a GDPR compliant process. The most important part of making any process GDPR compliant is training staff in the principles of data security.
That being said, the GDPR does make specific recommendations (but not hard and fast rules) around the use of encryption. Our recommendation is to ensure that personal data is stored on encrypted hard drives, and that the personal data columns in the databases that store the data for your software are encrypted too. This means that should someone gain access to your network and steal your databases, the personal data would still be inaccessible to the thief.
Encrypting your data in this way removes the obligation to inform the affected individual's of the occurence of the data breach. You can read more on this in the Reporting Breaches section of our detailed guide.
It does indeed. For most businesses, this realisation is probably one of the key moments in realising the breadth of the GDPR. The number of spreadsheets of sales leads, sales reports, staff data and reports exported from CRM, accounts and line of business systems in any orgainsation is enormous and this data will be scattered across every computer, tablet and phone in the organisation... including the old ones sitting in a cupboard at the back of the store room.
A thorough audit of all the data stored on every device in the business should be top of any business's agenda for working towards compliance with the GDPR. Wherever possible simply delete old spreadsheets that contain personal data; it's far simpler and safer to simply not have the data if it's no longer needed.
It does, but potentially in a different way to the rest of the software in your business. For most software any personal data stored in the system should be maintained and processed in accordance with the individual's rights and the Data Processing Principles and this is true for accounting software too. However, the right to be forgotten may potentially apply differently to accounting software as it is likely to be forming part of your statutory record keeping responsibilities. You can read more about this in the Consent And Lawful Data Processing section of our GDPR Guide.
It does indeed, your Customer Relationship Management (CRM) software is probably the place to start when assessing what personal data you are holding about individuals, and especially when considering how you can apply the principles of data minimisation. Most CRM systems have many, many fields for ancillary data about customers (everything from where they went on holiday to the names of their children) that some sales staff will no doubt have been using.
Data related to race and ethnicity bring additional record-keeping responsibilities to organisations of all sizes so it's particularly important to only have that data if it is actually needed, but the same goes for all personal data - if you don't need it then get rid of it and get rid of the fields for storing it too if at all possible so that people don't start recording that data again later. It's a definite truth of software that if there's a box to enter data in, sooner or later someone will forget they are no longer supposed to use it and fill it in.