Tuesday, 1 May 2018

What is this GDPR thing anyway?


If like me you work with details of living people, then you must have at least heard of the GDPR. The General Data Protection Regulation, which comes into force 25th May 2018, is basically an upgraded version of the Data Protection Act 1998 (Stephen Fry rest its soul). What does it mean? Well on top of getting all the usual stuff (people have to ask to collect your data; have to tell you why they’re collecting it and how long they’ll keep it; they can't share it or let it get lost; they can only get data from you in the first place if they actually need it for something, etc.) we get some shiny new rights. Things like telling a company they have to ‘forget’ you (as in shred or delete every single bit of data they hold on you, unless it means they can’t provide the service for which you’ve given it), and a shorter (and free) period of time to request a copy of all the info someone has on you, are quite useful in the long run and I have to say it’s high time we had this tightening of legislation.

But what does it actually mean? I’ve been on 2 courses now for work; the CIPP GDPR for Payroll course and a government accredited IT Governance GDPR course. It’s a pretty dry subject, but it’s well worth the read. The consequences of a breach of protected data at your company or business are one thing, but if you're not even aware of what constitutes a breach and what you’re supposed to do about it, things get very bad very quickly.

Take for example a typical Tuesday morning for me.

Colleague: I can’t get in the restricted-access personnel folder.

Me: Yes.
Colleague: Well I need to get in.
Me: There’s a reason you don’t have access to that folder. What are you trying to do?

Colleague: I just want to look something up.
Me: No.
Colleague: What?
Me: NO. As in ‘no’.
Colleague: But I need it.
Me: If you can demonstrate why, then I’ll get you the necessary information.
Colleague: Do I wait here?
Me: Buses don’t stop here.
Colleague: What?
Me: I don’t know why else you’d be waiting here.
Colleague: Well for access.
Me: Let’s skip a lot of misunderstanding, shall we? You need to show me first why you have a right to see the information. Then, and only then, can I give it to you.
Colleague: You’re taking this a bit far.
Me: *cups hands around mouth and shouts* Does anyone want to see the contents of Colleague’s file? It might have juicy information in it, like any grievances they’ve brought against you, or if they’re divorcing anyone, or how many kids they’re claiming childcare vouchers for - and their surnames! Anyone? Anyone?
Office: *sounds of giggles, general hand-waving of amusement and negation*
Colleague: Stop that. You can’t just show people my stuff.
Me: So you DO understand data protection, then?
Colleague: But I need access.
Me: No. What you need is to ask me for the PIECE or PIECES of information you need, and I’ll get it for you.
Colleague: Well why do you have access and I don’t? I’m a manager. You’re just a—
Me: Steady. I pay your wages into your private bank account, don’t forget.
Colleague: I was only going to say that you’re not manager level.
Me: Data protection doesn’t care about your manager level. I need your private details in order to do my job, which is pay you and create and maintain your personnel records. People sitting next to me in HR do NOT pay you, so they don’t have access to things I do, even though they’re also in HR. Directors of the company don’t have access to it either, because they don't need it to do their jobs. See how it works?
Colleague: This is going to take forever.
Me: It is if you keep going on about it. Just email me with the request for information and I’ll see if I can release it all. If I can’t, I’ll release everything I can.
Colleague: You mean even if I ask nicely I still might not get it?
Me: Correct. The same way that if someone asked me very very nicely for your personal bank details, I would say ‘no, it’s against GDPR principles’. See?
Colleague: So… how do I get the information? Can HR get it for me?
Me: No. For all the reasons I’ve just said.
Colleague: This is political correctness gone mad.
Me: *cups hands around mouth and shouts* Colleague wants to waive their right to all data protection! Who wants to trawl through their file!
Office: *more giggles, more hand-waving of amusement and negation*
Colleague: You can’t do that!
Me: You just said it was going too far. What you mean is, it’s only going too far when YOU want something FROM someone else. Are you going to go away and email me a request? I have things to do.
Colleague: You’re not being very helpful.
Me:
Lucifer Tom Ellis - up yours if you don't mind

To make matters worse, this person has actually sat through a 1 hour introduction to GDPR and done the mandatory online test afterwards - and must have scored at least 75% or they would be on my hit-list of people who need to complete it before 25th May 2018.

So this person - Fuckwit, let’s just call them Fuckwit - decides to go over my head to the GDPR working group we have. Because we have less than 250 employees we don’t need to employ a Data Protection Officer (DPO), so instead we have a group of people, one from each department, to get shit done. Fuckwit goes to make a cup of tea and tells another colleague all about it. This second colleague, full of themselves because they read an article online once, decides that Fuckwit has indeed been slighted and goes with them to lodge a complaint. So Fuckwit and - let’s call them Chucklefuck - go off together to see the person in the GDPR working group who has the final advisory decision on who gets to see sensitive data (bearing in mind that sensitive data is even more protected than normal personal data).

Fuckwit and Chucklefuck go upstairs and speak to (or rather, whinge to) someone they think can help. They tell them in no uncertain terms that actually, the one person who can advise on sensitive data issues is the only person in the company who has to work with it all day, and is therefore the only person who gets to see it or dispense it.

You get to guess who that person is.

Yes, Fuckwit and Chucklefuck have to come back down to my desk and ask me nicely to see data. I tell them again that they have to ask me in writing, and give the reasons they ‘need’ it. Because if their need isn’t a genuine requirement of completing the job for which the data was given, then the answer will again be no.

You can guess how happy they were to hear this.

They refused to write the email and said they would complain to ‘some kind of ombudsman’. I gave them the website address for the ICO who regulates all this and said I would welcome their contact with the regulatory body in charge of checking and fining people for breaches, and of course a bit of guidance from the European Commission.

They went away happy and I was happy they went away.

So there’s that.

But it’s really not that hard; the old ways of sharing stuff across offices, not even checking to see if it’s relevant or if you’re sharing stuff no-one else it supposed to see, are over. (And don’t under any circumstances share anything with the USA under their Privacy Shield - it's nowhere near the same and nowhere near as water-tight.) Privacy by design (systems that are built in such a way that they have security in every step), auditing access to info and controlling it, maintaining an effort to keep it controlled - these are all things that may seem boring and soul-destroyingly convoluted to most people, but they make up about 80% of being compliant with GDPR. When the very worst breaches in the hugest companies can attract a fine of up to €20billion, showing you’ve tried to mitigate any breach, and then how you’ve installed a better lock on the gate after the horse has bolted so it won't happen again, can really make all the difference.

And that’s pretty much it for today. At some point I’ll have to regale you with the most ridiculous email queries I’ve had just this week - honestly, some of them make you wonder how these people get their trousers on in the morning.

Soopytwist.

No comments: