GDPR – what are “reasonable steps”? Behavioural changes are needed

The General Data Protection Regulation continues to be a focus of attention.

Whilst the fine details have been delegated to a fellow partner, a “willing volunteer” who I don’t believe knew quite what he was letting himself in for, there are some “big picture” areas to consider.

Data security is paramount, so the thoughts are how, practically, to protect data, especially where it is leaving the office.

A secure portal has long been in place, and this has worked really well. However, not everyone, both internal and external, has embraced it to the full. Payslips have been sent in a password protected format, but we are now moving to payslips by portal too.

With the portal, the end user can click a “forgot password” button and be emailed his password or a temporary password to enable it to be reset – but this is not possible with other forms of protection.

Passwords! We received a password protected Excel sheet recently. The password was sent by a separate email. A staff member saved the email and attachment into the document management system but forgot to attach the password to the document! When she was next in the office, she found the email with the password and saved it. But on trying to open the document the password was reported as invalid! Back to square one – email the sender and ask her to resend etc….

The same principle applies to encrypted documents. We can encrypt any type of file though a small program. This asks for a password or phrase during the encryption process. The recipient then applies this password to the encrypted file to unencrypt it.

Internally, the email out would be saved to the document management system, obviously with the encrypted file. So, to read it again means having to unencrypt it, which means the passcode needs to be available. Forget to record it and it is locked forever. There is no way of saying “forgot password – send me a temporary one”.

It is to be hoped(!) that the portal method is used wherever possible, and that encrypted, or password protected files are not uploaded to that portal!

Within the last two weeks, a standard letter was sent to a job applicant stating that there were no vacancies at present, but the details would be kept on file in case a vacancy arose. This was all stored in the document management system (and I suspect the paper copy may well have been hole punched and filed in a filing cabinet somewhere! Under GDPR, things must change, as such data should not be retained for an indefinite period. If we chose to just keep the letter saying there were no vacancies, and dispose of the CV attached, is this permissible under GDPR? We still have a name and address on file. We need to research this further.

It does go to show that apparently “little issues” are capable of sucking in large amounts of time. This was highlighted in a recent blog post.

These changes however flag up a bigger issue! For the last 12 years, we have been shouting and screaming, emphasising all the time that the Document Management system is the core of our business, and everything should be saved in there.  Now we need to either be selective (dangerous!) or systemise the removal of saved documents. Another feature of the DM system was that data could not (normally) be removed!

There will inevitably be lots more little niggles and issues over the next few months……

What have you come across in dealing with GDPR issues that have caused some “head-scratching”?