GDPR was a once-in-a-generation update of our data protection regulations. And it has huge implications for people managing projects that store, capture or process personal data.
In this article we’ll look at what project managers need to know about data protection.
GDPR and data protection … it’s not over, even though the GDPR regulations are now in force.
Data protection is not a ‘one and done’ thing. This area of regulation is constantly evolving.
Schrems II implications
As the ICO writes:
The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA.
For a while, GDPR projects were everywhere; you might have been involved in one yourself. But beyond the setting up of GDPR principles in your business, what does data protection look like for project management? Because it is still affecting us, even if you don’t talk about ‘GDPR’ every day.
What data protection considerations do you need to take into account before a project starts? This will also apply to you if you work within a PMO.
Below I’ll look at 10 questions managers should ask themselves before starting a new project, and there’s a quick video covering some of the main points below — scroll down for that.
But first, let’s cover the basics.
You should know that I’m not a lawyer and this article does not in any way constitute legal advice or business advice. I’m just someone who has done a lot of research about GDPR. I am happy to recommend Suzanne Dibble’s GDPR Documentation Pack which I use in my own business (more on this at the bottom of the article). Always take advice from your legal team.
What is GDPR?
It’s highly likely that you have heard about GDPR – the General Data Protection Regulation that came into force on 25 May 2018 across Europe.
In the UK, the Information Commissioner’s Office (ICO) ran campaigns to raise awareness and to help businesses comply. Their guidance continues to be pragmatic and very helpful.
Unless your management team have been living under a rock, they will have worked on making your organization compliant with the new regulations because the implications of not being compliant are significant.
GDPR is Relevant Even if You Aren’t in Europe
Oh yes – this is the biggie.
Even if you personally aren’t in Europe, and you aren’t working for a European firm, you still need to abide by GDPR principles if you store or process the data of European individuals.
The simplest example is if your business builds new software. If you make it available to buy on the internet, and let people from all countries buy it, then GDPR applies to the way you process the data of your European customers.
Frankly, it seems easier to me to apply good data protection principles to all your customers. Life is too short to try to put dual processes in place and have non-European and European individuals treated differently. The obligations aren’t that onerous – honestly.
What is Personal Data?
The ICO defines personal data as:
information about a particular living individual.
That’s quite broad, and covers things like:
- Data of birth
- Location data gathered from browser history
- Identification number, such as a customer reference number, as long as that can be tied back to a person
- Online identifier, like a social media user name.
Many, many projects will store, touch, capture or process personal data, because businesses have huge amounts of data about both customers and staff.
Here are 10 things project managers need to know about GDPR before starting a new project.
1. Who is Your Data Protection Officer?
Your company is highly likely to have a Data Protection Officer (DPO). This person will be responsible for all data protection issues within the organization. They are your first point of call if you have a data query.
It’s good to know who they are. They become one of the subject matter experts you can then draw on during the project in case you have questions about data protection, or any of the data subject rights under GDPR.
2. What is a Data Privacy Impact Assessment?
Does your project handle personal data? If so, you’ll need to complete a Data Privacy Impact Assessment (DPIA).
A DPIA is basically a review of what personal data is being handled as part of the project. There are lots of questions to answer, and at the end you get an idea of the scope and scale of the risk.
The DPIA looks at:
- The scope, context and purpose of the processing required
- Whether it’s necessary to process the data
- What compliance measures are/will be in place
- The risks to individuals (your data subjects)
- The measures you can take to mitigate those risks.
Your PMO should have a DPIA template, and any project that touches personal data should be required to complete it. This is something your Information Governance Manager or DPO can help with.
Then you can appropriately plan the controls and actions required to move the project forward.
DPIAs are covered in this video, where I highlight some of the key data protection concerns for project managers.
3. Will You Transfer Data Outside the EU?
Does your project involve transferring data outside of the EU?
If so, you’ll have to pay special attention to what that requirement looks like. You may also have to face the reality that you might not be able to do it. If the company you want to transfer to does not have adequate data controls in place, you could be better off looking for an alternative solution that doesn’t require transferring data outside the EU.
This is one area where you will want to draw on the expertise of your DPO and the lawyers in your business.
4. What Does Your Privacy Notice Say?
You’ve read your company’s privacy notice, right? They probably have one for staff and one for customers.
Even if you’ve never bothered to look at it before, if you are running a project that uses or captures personal data, then it’s worth taking a look. You need to be sure that your project can meet the standards laid out in the privacy notice.
For example, if there is nothing in there about contacting customers via SMS message, then you can’t contact customers via SMS message, even if your project sponsor thinks it’s a genius idea. You need to get consent to market to people via SMS, and if you don’t have it, you can’t do it.
You may also hear the privacy notice referred to as a Fair Processing Notice.
5. What is The Retention Policy for Data?
Projects create a lot of data. Whether you are setting up staff list rotas for a waste disposal plant or capturing customer data in your new app, you are collecting data. And some of it will be ‘personal’ data – information about living individuals.
You need to know how long you are expected to keep data for under you company’s data retention periods. Then you need to be able to destroy it.
For your project, this means understanding what the retention policies are, and making sure that your project complies with them.
For example, it may be that you have to tag each new entry in the database with a destruction date, automatically calculated from the user sign up date. Or you may have to design a new monthly report that flags what data can be safely destroyed.
GDPR focuses on personal data, but it’s never a bad idea to include data destruction for non-personal data in your project requirements too. Then you’ll never over-retain anything and you’ll stay in compliance with wider organizational requirements.
6. What Impact Does Right to Portability Have?
GDPR confers various rights on data subjects (i.e. people) and one of those is the right to portability.
Think about your contract with your utilities firm. You pay them monthly for your water, gas or electricity. You want to move to another provider. Right to portability gives you the right to have your customer data in a way that makes it easy for you to switch providers.
In this super simple example, it could be the details of your last 5 meter readings, so that your new provider can get an idea of how much electricity your household normally uses over time.
Your project needs to be sure that whatever you build can still meet someone’s right to port the data elsewhere. Factor that in your requirements so that the first time you’re asked, you can actually fulfill their needs.
7. Does Your Project Rely on Profiling?
“Let’s use Facebook to target people who want to buy our new ice cream.”
While that sounds like a great marketing tool (and who wouldn’t want to work on an ice cream project?), managers should be aware that GDPR requires you to be transparent about profiling and automatic decision making. You need to let people know what logic is used to process their data.
A more realistic example is buying insurance. If you set up your company insurance software engine to automatically decline people who trip several triggers during the buying process, then you need to make sure that’s clear to people.
The way to do this would be in the organization’s privacy notice, so make sure that if you are introducing new automatic decision making or profiling tools (think: AI and bots) then your legal team is also updating your privacy notice.
8. Are You Using Opt In Forms?
Under GDPR, consent has to be transparent and freely given. That means no more pre-ticked consent boxes on website opt in forms. People have to actually tick the box (instead of untick it, if they don’t want the info).
Your Marketing team are probably already aware of this, but make sure that you’re following best practices for consenting people who reach your website, if your project has an online element.
9. Can You Find Data in Your New Software?
Many projects introduce new IT software and systems. When you add a new tool to your IT estate, it needs to be searchable.
That’s because under GDPR, people have the right to ask for their data. You need to be able to find it.
In the UK we’ve had Subject Access Requests for some time, so this requirement isn’t totally new. The process gives people the ability to request copies of their data. Organizations have a certain length of time to respond.
The GDPR requirement doesn’t really make this much different, although the length of time is now shorter.
What is worth considering though is how good your systems were in the first place? When someone asked for copies of their records – whether that’s an employee or a customer – were you able to truly give them everything on file?
GDPR forces companies to rethink the process so consider how searchable your new tools will be.
10. What’s the GDPR Risk?
If your project exposes the business to a significant risk in any of these areas, then you should escalate it. The fines for lack of compliance are huge, which should automatically make any of your project risks related to data protection become program risks or beyond.
As well as financial penalties, there is reputational risk for companies that don’t treat customer data securely. Do you want your project to be responsible for your employer being splashed all over the news as the next big data scandal?
GDPR projects around Europe looked at the overall implications of this risk to the organization, but what what about specifically for your new project?
Add any risks to the corporate risk register via the correct route, and don’t simply leave them on the project risk register.
If you run a small business or work on projects in a small business, I highly recommend Suzanne Dibble’s GDPR Pack. It includes a readiness checklist, sample documentation and more, all aimed at getting you compliant in the least possible time and it’s very cost-effective.