As many of you probably know, the date of General Data Protection Regulation (GDPR) implementation is coming ever closer. At The Engine Room, we’ve been using it as an excuse to do a spring clean on the infrastructure we use for managing data. In this post, we’ll outline a few tactics that we’ve used so far, in the hope that our findings might be useful for others.
Where to begin?
We started with a tactic we often use – finding out what others know. In November 2017 we held a community call with the responsible data (RD) community, and invited Pat Walshe, Sean McDonald and Gloria Gonzalez Fuster to share their thoughts on the GDPR. We wrote up some findings in this blog post. One of our biggest takeaways was that the GDPR is a promising step in the direction of taking a rights-based approach to working with data, something that the RD community has been pushing for for a long time.
One of the great – but also tricky – things about the GDPR is that it’s cross-organisational. It affects data held for operational communications and research purposes. Of course, it also affects the activities of technology teams. Not everyone on a team, however, can spare the time to dive in and learn more about the GDPR and what it means. To address that at The Engine Room, we produced a 101: GDPR and The Engine Room sheet for our team members. (Note: we’re not lawyers, so take that with a pinch of salt. If in doubt, consult lawyers!)
We also developed potential use cases, imagining what kinds of requests we might receive. We wanted to go beyond the abstract legal-speak and help people to think more concretely about how the GDPR affects their work in particular. These included the following:
- [Newsletter subscriber]: Hello! I’ve forgotten when I gave consent for you to send me your newsletter. Could you remind me?
We need to keep track of when we got consent and how. (This is automatically recorded in Mailchimp, but if we ever do events/add people manually to mailing lists, we need to keep that information.)
- [Former support partner] Hi there, I’d like to have access to all the data you hold about me. Could you send me everything you have? And, could you let me know for how long you plan to keep that information, and why?
They’re exercising their right to access information about them, and to know what’s happening to data about them.
- [Former contractor]: Hi there, er, can you delete all mention of me on your systems? Website, Google Drive, financial info, everything?
They’re exercising the right to erasure – to operationalise this, we’ll have to get better at recording when we collect personal data, so that we know where to go to delete it.
We started a ‘master document’ – a README – of all the information that we’ll be giving our colleagues over the next months with regards to the GDPR. We also developed an internal communications plan to think about the best way of sharing this information in a way that is a. accessible b. not overwhelming and c. actually useful to their work.
We also decided on doing weekly updates on our progress on our team-wide mailing list, essentially drip-feeding what we thought were key pieces of information, and spreading out requests for support.
Time for a spring clean
Thanks to our colleagues in Tech and Operations, we had a lot of pieces of the infrastructure that we needed in place already. We had lists of all of the third party systems we use, detailed onboarding documents noting which services different people (team members and contractors) have access to, and just a couple of places where we store personal data.
With this in mind, we put together a Data Audit spreadsheet – noting down all the sets of personal data that we hold, how long we hold it for and why, and where it’s stored. It was refreshing to realise that we hold very limited personal data (mostly just names and email addresses, and in the case of contractors, bank details).
Next, we’ll be creating an easy way for our colleagues to keep a record of when, why and how they’re collecting personal data in the future, together with reminders of when we should be deleting that data. We’ll keep you updated on how it goes!
Here’s two of our resources so far. If we’ve missed anything, let us know on firstname.lastname@example.org, which goes to Laura, Paola, Tom and Zara.