10 Data protection questions to ask before starting a new project
Does your project include processing of personal data? Or any other kind of data? Or sharing data between organizations?
Chances are, you’re going to have a workstream of activity related to data management and data protection.
I’ve worked on a lot of projects with a data migration element, and many of my projects require DPIAs (more on those later). Wherever you are in the world, ethical project management standards, and the implications of AI, require you to be on top of data protection principles.
Yes, you’ll have a data protection officer or some other similar role on the team, but you also need to have some basic understanding for what it means for changing your process or building your new software or feature.
In this article we’ll look at what project managers need to know about data protection.
GDPR was a once-in-a-generation update of our data protection regulations. And it has huge implications for people managing projects that store, capture or process personal data.
GDPR and data protection … it’s not over, even though the GDPR regulations are now in force.
Data protection is not a ‘one and done’ thing. This area of regulation is constantly evolving.
For a while, GDPR projects were everywhere; you might have been involved in one yourself. But beyond the setting up of GDPR principles in your business, what does data protection look like for project management? Because it is still affecting us, even if you don’t talk about ‘GDPR’ every day.
What data protection considerations do you need to take into account before a project starts? This will also apply to you if you work within a PMO.
Below I’ll look at 10 questions managers should ask themselves before starting a new project, and there’s a quick video covering some of the main points below — scroll down for that.
But first, let’s cover the basics.
You should know that I’m not a lawyer and this article does not in any way constitute legal advice or business advice. I’m just someone who has done a lot of research about GDPR. Always take advice from your legal team.
What is GDPR?
It’s highly likely that you have heard about GDPR – the General Data Protection Regulation that came into force on 25 May 2018 across Europe.
In the UK, the Information Commissioner’s Office (ICO) ran campaigns to raise awareness and to help businesses comply. Their guidance continues to be pragmatic and very helpful.
Unless your management team have been living under a rock, they will have worked on making your organization compliant with the new regulations because the implications of not being compliant are significant.
GDPR is relevant even if you aren’t in Europe
Oh yes – this is the biggie.
Even if you personally aren’t in Europe, and you aren’t working for a European firm, you still need to abide by GDPR principles if you store or process the data of European individuals.
The simplest example is if your business builds new software. If you make it available to buy on the internet, and let people from all countries buy it, then GDPR applies to the way you process the data of your European customers.
Frankly, it seems easier to me to apply good data protection principles to all your customers. Life is too short to try to put dual processes in place and have non-European and European individuals treated differently. The obligations aren’t that onerous – honestly.
Even if GDPR isn’t top of mind for you, there are lots of other data protection regulations to consider
Already up on GDPR or sure it isn’t a consideration?
What about PIPEDA in Canada, CCPA in California, the impact of the Schrems II judgement and plenty more?
In other words, you definitely need legal support but many ‘ordinary’ data protection queries can be covered off if you consider how to manage personal data on your project before you get started.
What is personal data?
The ICO defines personal data as:
information about a particular living individual.
That’s quite broad, and covers things like:
- Name
- Address
- Data of birth
- Location data gathered from browser history
- Identification number, such as a customer reference number, as long as that can be tied back to a person
- Online identifier, like a social media user name.
Many, many projects will store, touch, capture or process personal data, because businesses have huge amounts of data about both customers and staff.
Here are 10 questions project managers need to ask about data protection before starting a new project.
1. Who is your data protection officer?
Your company is highly likely to have a Data Protection Officer (DPO). This person will be responsible for all data protection issues within the organization. They are your first point of call if you have a data query.
It’s good to know who they are. They become one of the subject matter experts you can then draw on during the project in case you have questions about data protection, or any of the data subject rights under GDPR.
2. What is a Data Privacy Impact Assessment?
Does your project handle personal data? If so, you’ll need to complete a Data Privacy Impact Assessment (DPIA).
A DPIA is basically a review of what personal data is being handled as part of the project. There are lots of questions to answer, and at the end you get an idea of the scope and scale of the risk.
The DPIA looks at:
- The scope, context and purpose of the processing required
- Whether it’s necessary to process the data
- What compliance measures are/will be in place
- The risks to individuals (your data subjects)
- The measures you can take to mitigate those risks, for example, ensuring there is no possibility of unauthorized access to the data, physical security to buildings, role-based access control, strong passwords and so on.
Your PMO should have a DPIA template, and any project that touches personal data should be required to complete it. This is something your Information Governance Manager or DPO can help with.
Then you can appropriately plan the controls and actions required to move the project forward.
DPIAs are covered in this video, where I highlight some of the key data protection concerns for project managers.
3. Will you transfer data outside the country?
Does your project involve transferring data outside of the country?
If so, you’ll have to pay special attention to what that requirement looks like. You may also have to face the reality that you might not be able to do it. If the company you want to transfer to does not have adequate data controls in place, you could be better off looking for an alternative solution that doesn’t require transferring data overseas.
This is one area where you will want to draw on the expertise of your DPO and the lawyers in your business.
One of the GDPR principles is privacy by design, so you should be building any new systems or business processes with a privacy-first approach.
4. What does your privacy notice say?
You’ve read your company’s privacy notice, right? They probably have one for staff and one for customers.
Even if you’ve never bothered to look at it before, if you are running a project that uses or captures personal data, then it’s worth taking a look. You need to be sure that your project can meet the standards laid out in the privacy notice and maintain privacy rights for individuals.
For example, if there is nothing in there about contacting customers via SMS message, then you can’t contact customers via SMS message, even if your project sponsor thinks it’s a genius idea. You need to get consent to market to people via SMS, and if you don’t have it, you can’t do it.
You may also hear the privacy notice referred to as a Fair Processing Notice.
5. What is the retention policy for data?
Projects create a lot of data. Whether you are setting up staff list rotas for a waste disposal plant or capturing customer data in your new app, you are collecting data. And some of it will be ‘personal’ data – information about living individuals.
You need to know how long you are expected to keep data for under you company’s data retention periods. Then you need to be able to destroy it.
For your project, this means understanding what the retention policies are, and making sure that your project complies with them.
For example, it may be that you have to tag each new entry in the database with a destruction date, automatically calculated from the user sign up date. Or you may have to design a new monthly report that flags what data can be safely destroyed.
GDPR focuses on personal data, but it’s never a bad idea to include data destruction for non-personal data in your project requirements too. Then you’ll never over-retain anything and you’ll stay in compliance with wider organizational requirements.
6. What impact does the right to portability have?
GDPR confers various rights on data subjects (i.e. people) and one of those is the right to portability. I’m sure other laws have similar requirements, plus it’s just good customer service. After all, with so much online activity these days, it’s to be expected that customers will want to move around at some point.
Think about your contract with your utilities firm. You pay them monthly for your water, gas or electricity. You want to move to another provider. The right to portability gives you the right to have your customer data in a way that makes it easy for you to switch providers.
In this super simple example, it could be the details of your last 5 meter readings, so that your new provider can get an idea of how much electricity your household normally uses over time.
Your project needs to be sure that whatever you build can still meet someone’s right to port the data elsewhere. Factor that in your requirements so that the first time you’re asked, you can actually fulfill their needs.
7. Does your project rely on profiling?
“Let’s use Facebook to target people who want to buy our new ice cream.”
While that sounds like a great marketing tool (and who wouldn’t want to work on an ice cream project?), managers should be aware that GDPR requires you to be transparent about profiling and automatic decision making. You need to let people know what logic is used to process their data.
A more realistic example is buying insurance. If you set up your company insurance software engine to automatically decline people who trip several triggers during the buying process, then you need to make sure that’s clear to people.
The way to do this would be in the organization’s privacy notice, so make sure that if you are introducing new automatic decision making or profiling tools (think: AI and bots) then your legal team is also updating your privacy notice.
8. Are you using opt in forms?
Under GDPR, consent has to be transparent and freely given. That means no more pre-ticked consent boxes on website opt in forms. People have to actually tick the box (instead of untick it, if they don’t want the info).
Your Marketing team are probably already aware of this, but make sure that you’re following best practices for consenting people who reach your website, if your project has an online element.
9. Can you find data in your new software?
Many projects introduce new IT software and systems. When you add a new tool to your IT estate, it needs to be searchable.
That’s because under GDPR, people have the right to ask for their data. You need to be able to find it.
In the UK we’ve had Subject Access Requests for some time, so this requirement isn’t totally new. The process gives people the ability to request copies of their data. Organizations have a certain length of time to respond.
The GDPR requirement doesn’t really make this much different, although the length of time is now shorter.
What is worth considering though is how good your systems were in the first place? When someone asked for copies of their records – whether that’s an employee or a customer – were you able to truly give them everything on file?
Data protection requirements force companies to rethink the process so consider how searchable your new tools will be.
10. What’s the data protection risk?
If your project exposes the business to a significant risk in any of these areas, then you should escalate it. The fines for lack of compliance are huge, which should automatically make any of your project risks related to data protection become program risks or beyond.
As well as financial penalties, there is reputational risk for companies that don’t treat customer data securely. Do you want your project to be responsible for your employer being splashed all over the news as the next big data scandal?
Document potential risks and explain what layer of protection you can put in place to mitigate them, assuming there is something you can bring into project scope to do that.
What to do now
GDPR projects around Europe looked at the overall implications of this risk to the organization, but what what about specifically for your new project?
Add any risks to the corporate risk register via the correct route, and don’t simply leave them on the project risk register.
Make sure there are tasks on the project plan that help you to meet legal, security and regulatory requirements.