So, you worked hard to complete your GDPR policies; updated your privacy policy and emailed all your clients to confirm their consent. But have you slipped already? In the general busyness that most of us live our lives in, have our good intentions gone out of the window? Try this little test – tell the truth now!
Score 1 for every ‘FAIL’
1. How tidy is your desk – look around… you get a FAIL if there anything left out that should be locked away! Are you operating a clear desk policy?
2. Does your desktop, laptop, tablet and phone have tough passwords. No shirking here – anyone with no password or if the password ‘password’ or 1234 has to answer ‘FAIL’ to this. Cautionary tale: A local councillor has just been suspended for posting horrid inflammatory comments on his FB page. His defence was that his laptop wasn’t password protected and someone else posted the horrid comments. He can’t have it both ways; either he’s in breach of GDPR regs and the council is in trouble, (I assume he used his laptop on official business), or he really is a nasty piece of work.
3. Any external drives left out? This includes pen drives and any other little storage devices. Look around – no sneaking these into a drawer. If they are out on your desk then they all count. Get a ‘FAIL’ for every device.
4. Speaking of drawers – are they locked when you leave for the day or pop out for lunch. Really? No cheating. Closed is not locked! You know if you deserve a ‘FAIL’ here.
5. Now check your computer/laptop – have you got any big data files lying around? Any emails with data files you should really have deleted or saved to an encrypted space? ‘FAIL’ if you have data in emails, desktops, or anywhere risky. Cautionary note: The highest risk people in your organisation are likely to be the senior minister if it’s a church, or the CEO, or even the chair of trustees. These guys often feel that normal rules and regulations apply to everyone else. remember Hilary Clinton and her infamous, ‘these messages were all on my private server so normal government regulations didn’t apply’. Also, they’re often so busy they fly mostly ‘by the seat of their pants’.
6. Emails – emails are just so dodgy. Have you received or sent any emails with attachments that contain data or content you really should have encrypted? ‘FAIL’, most probably. Do you have a clearly understood and effective system for deleting e-mails?
7. Almost there! If you are the boss can you really say that your staff, including volunteers understand how GDPR impacts them? Be honest here, sending them an email with a link to the ICO website doesn’t count. ‘FAIL’ – no fibbing just because you are the boss. Contact us if you need help. Most days we’re getting GDPR related questions to answer.
8. Finally, the dreaded SAR. Do all your staff know how to recognise and respond to a Subject Access Request? If you have received any, have you responded and processed them accordingly? ‘FAIL if you answer no to either. Cautionary tale: As I write this one of my clients has received a request to erase all of a subject’s data. Believe me, a SAR is like a walk in the park compared to an erasure request. More of that in my next issue.
Good luck all.
With credit to Adam Brogden highly competent GDPR specialist: www.optindigo.com for these questions. Adam says, ’GDPR is not just about completing documents. GDPR is more like a fundamental change to how you collect, store, and process data!’
We can help you stay safe: How can small organisations stay safe where there are so many ways they can slip up and even the big boys don’t seem to be able to c ope with the complexity of it all? We specialise in keeping things as simple as possible in an increasingly crazy world.
Daryl Martin
Founder, AFVS
|