Privacy Impact Assessment – How to classify data under GDPR
In the last of our series we introduced the idea of producing a Privacy Impact Assessment from our current data map (See previous
article). From the data map we should be able to highlight what is considered to be sensitive data. This is where confusion creeps in as what is personal information and genuine business activity. The following article seeks to address these issues.
Does GDPR hinder our day to day business activities?
If your organisation works within the B2B sector, then the chances are you will be dealing with people in a professional capacity. They would still be “living human beings” in GDPR speak, but you would probably be trading in products and services that your client is interested in purchasing. If any communications contain someone’s name, then you need to consider GDPR but the information transferred or held on that individual in their work role is probably not that earth shattering. Contents of emails, meeting requests, contracts all should contain information relating to that entities trading activities They are working as agents of an incorporated company, that as “non-living entities” is therefore beyond GDPR. GDPR is not meant to stifle business communications, marketing or trade but it does expect business’s to be aware of an individual’s information rights as it goes about its endeavours. It is the type of information you hold, how it is stored it and methods of transfer, that really matters. Even small enterprises may have to change their entire operations due to the type of information they have in their care. I went to visits a relatively small business, with limited resources, but their services where directed at children. They need to make special consideration (See our FAQ section on sensitive data) for their data, even more so than much larger organisations, due to the nature of the information they possess.
How does this affect a Privacy Impact Assessment?
The privacy impact assessment is exactly what it says. If details relating to child where released to the public then would have a different ramification than petty cash receipts. The harm, embarrassment and financial consequence of information release would have to be appreciated in full and then due care be exercised, proportionate to the methods and procedures put in place to keep that information away from prying eyes. Although this includes cyber security, firewalls. monitoring, etc. It also requires data minimisation, authorised access and responsive notification periods.
Good data stewards.
As custodians of the publics information then the exercise is really to view the stewardship through the eyes of the customer and what steps would they expect to earn the trust they have placed in your organisation. We need to meet their expectations of caring for the information that they wish to keep private.