GDPR (part 1 of 5): Making an inventory
On the 25th of May 2018, the ‘General Data Protection Regulation’ (GDPR) will enter into force and will also be enforced by the Dutch data protection authority ‘Autoriteit Persoonsgegevens’ (AP). Under this European directive, consumers and citizens have more rights with regard to the processing of their personal data by third parties, organizations are given more responsibilities for the safer and more straightforward processing of these personal data, and the liability distribution for abuse or negligence is much better identified and established.
The central concept of the new law is "personal data". When you work with personal data, you should be able to clearly and completely explain in simple language as to what happens with personal data within an organization and how the data is being processed. You have to record this in what has been called the ‘processing register’. Eventually, this register will contain the documentation of all the processes and activities with personal data of the university. The law often mentions two core principles with regards to the processing of personal data, namely: data minimization and user minimization.
Data minimization means the minimal collection, storage and use of personal data that is necessary for a certain activity or process. It is important to stay as close as possible to the core purpose of the activity when processing personal data. For example, retrieving or saving birth data or address data for sending newsletters by e-mail is not necessary for the core purpose of the activity (sending out newsletters) and therefore superfluous. The e-mail address alone would be sufficient in this case. When making an inventory, it is therefore important to have the purpose of an activity clear and to carry it out with minimal amount of personal data as possible.
User minimization refers to allowing access to personal data only to those persons who need this information and to deny access to persons who are unauthorized. It often happens that personal data are shared in folders that are accessible by more people than those for whom it is intended. It is therefore important to always take this into account when processing personal data, for example by working in a private Sharepoint-environment.
With these core principles in mind, it is now time to make an inventory of the current activities. A first recommendation would be to delete as much unnecessary or superfluous personal data from the desktop as possible, the P:-disk (personal work environment), the J:-disk (the department folder) and the mailbox (both received and sent mails). Instead of checking all subfolders individually in Windows, the search function in the upper right corner of Windows Explorer (not to be confused with Internet Explorer) or the keyboard shortcut Ctrl + F allows both subfolders and their contents to appear in the same overview by searching for "*" (without the quotation marks). By filtering the search results by date, for example, it is very easy to remove all obsolete files with a single command.
Working safely and responsibly with personal data
Personal data can also be stored in the mailbox. It is needless to say that it is impossible to delete all personal data in your mailbox, but it is nevertheless important to do this as much as possible. It often happens that personal data about is exchanged with the use of attachments in e-mails. An easy way to view and delete these e-mails is therefore to filter the mailbox on only the mails that contain an attachment and then sort them by date from old to most recent. Chances are that the oldest e-mails are no longer necessary or important and can therefore be removed. Another way is to sort the e-mails by sender with whom you exchange personal data the most. In both cases, it is important to clean both your 'inbox' and your 'sent items'. Attachments of e-mails can also be removed separately from the e-mail itself.
There are many more tools and tips on the university's website to work more securely online.
After removing the unnecessary and superfluous files, documents and personal data, the remainder is the utmost necessary amount of personal data you need for your work and activities. By subsequently archiving it in a clear way for you, you are ready for the next step in working safely and responsibly with personal data: 'Do's, Don'ts and Alternatives'.
Do you have questions about the GDPR or are you too impatient to wait until next week? Take a look at the university website for more information or feel free to send your question to firstname.lastname@example.org!