In the first part of this series on the General Data Protection Regulation, I discussed how GDPR provides for one set of data protection rules for companies operating within the European Union so people have more control over their personal data and what happens to it. I also discussed how GDPR affects businesses outside the EU. In this article, we’ll detail how GDPR affects us as project managers.
Whether or not GDPR applies to you and your projects, it doesn’t hurt to follow good data protection principles for all the projects that you do. A sensible starting point is to think about the types of data being used on your project and what you use it for.
Think about what customer, supplier, or staff personal data your project uses. If you are managing any kind of project that has an IT element, from a door security system that records people entering and leaving to a new app, the project probably touches personal data.
Ask yourself the following questions:
- Is it data that relates to and identifies a person, like their name, address, social security number or biometric data?
- Is it necessary to capture and store the data?
- How will you keep it safe?
- How will you make sure people can get copies of it if they want to?
- Can it be extracted and transferred to another system if someone needs to do that?
- Are you giving people the option to consent to how their data is used where appropriate, and the option to opt out?
Because consent to processing is such a huge topic, I think it warrants a little more explanation.
You would need to process someone’s data for a number of reasons, and “because they consented” is only one of them. GDPR doesn’t expect you to get explicit consent to take credit card details when someone is buying something from you, for example. If you had to ask every customer for explicit permission at the cash register, you’d be there all day and customers would get annoyed. You need to process their credit card data in order to fulfill their purchase.
GDPR sets out a number of reasons when it is OK to process data (and consent from the individual is one). That’s why one of the key things for businesses is to know why they need the information so they can justify the reason for having it.
Does this sound like a headache? A lot of upfront work is involved in finding and documenting exactly what data your business has overall, but at a project level, this isn’t a difficult job. The data being processed should be recorded in your project requirements anyway.
You now know what personal data is used and why it is used.
The next data challenge for your project is to think about what happens when you don’t need the data any longer. Has your project already covered data destruction? Or are you simply building a massive database that is going to fill up over time with no end in sight?
GDPR challenges us to specify when data is no longer required. Your business will set these timelines. As a project manager, your job is to build in a mechanism to delete data when it’s no longer needed. That might be, as in the case of LiquidPlanner, when the customer is no longer a customer.
Whether GDPR applies to you or not, it’s good data housekeeping to think about how you are going to get rid of it. Data storage might be cheap, but it’s cheaper and less risky to not have a massive amount of unnecessary data.
Create tasks in your work breakdown structure and project schedule to build in the ability to delete data when it’s no longer needed. This could easily form part of the standard nonfunctional project requirements for any project.
One of the difficult things about implementing GDPR in any business is that it doesn’t stand alone. Other pieces of regulation also apply and overlap in some cases, such as the Privacy and Electronic Communications regulations, guidance on the use of CCTV, and probably a host of other guidelines and laws.
Always take advice from your legal team. There might be nothing extra for you to do, but it’s better to check than to work on your project for several months before you realize you need to add in new features for compliance reasons.
An individual’s personal data is a huge asset to companies and can be a definite benefit when thinking about what new products to design or what processes to improve. However, we need to be careful with the data people entrust to us in business.
Data protection will become even more entwined into the fabric of how we manage projects than it is currently. Start thinking about security now, and you’ll keep your company out of the headlines and your customers happy.
Note: Elizabeth Harrin is not a lawyer, and this article is not legal advice.