What Project Managers Need to Know about GDPR (Even If You Don’t Work in Europe)
It seems like every week a company is in the news for misusing data. Whether it’s concern with how our data is being used by marketing firms or about companies “losing” thousands of credit card records to a hacker, data is regularly making the news—and not in a good way.
Amongst all the database dramas and security scandals is a set of standards that goes some way to help, and project managers who work with individuals’ personal data as part of their projects should be taking notice.
What standards am I talking about? If you are based in the European Union, you won’t have missed the flurry of activity in the spring as companies got ready to implement changes to bring those standards in. I’m talking about GDPR.
What Is GDPR?
GDPR stands for the General Data Protection Regulation. It’s a once-in-a-generation sweep up of data privacy standards.
GDPR provides for one set of data protection rules for companies operating within the European Union. It harmonizes data protection laws across EU states. The main benefit is that people have more control over their personal data and what happens to it.
The regulation came into force on 25 May 2018.
So, It’s A European Thing?
Yes and no.
EU citizens are covered by GDPR, or rather, the legislation in their countries that brings GDPR into law. In the UK, for example, it is the Data Protection Act 2018 that enshrines the GDPR principles into law.
GDPR has been a big thing in Europe, but it also affects companies outside of the EU that have an international customer base that includes European citizens. If you store or process the data of EU individuals, GDPR will apply to you.
But I Don’t Work with Europe
Even if you don’t work with customers or staff in an EU country today, your next project might need to recruit subject matter expertise from European countries—and those new staff members would expect to have their employee or contractor data relating to their employment processed in a compliant way.
Your next project might need you to work with a supplier who is based in the EU or to launch an internet service that will be open to everyone from any country. With the internet in mind, does your business have a website with a “Contact Us” form? And can people from Europe put their details in? if so, then GDPR applies to you.
Let’s assume that you are a project manager for a brick and mortar business with zero web presence and a very local customer and employee community. GDPR is only about keeping personal data safe. While those data protection principles might not yet be enacted in your local laws, I think we can assume that many other countries will actively choose more data safeguarding in time.
The GDPR Headlines
The main headline from GDPR is transparency. Companies need to be explicit about why they are storing and processing your data and what they use it for. If they haven’t got the right to contact you for a relevant purpose, then they shouldn’t be contacting you. That includes not sending you unsolicited marketing emails to your personal email address.
Companies shouldn’t collect more information than they need to fulfill their purpose. Your project should only collect the data required for the task, whether that’s fulfilling an order or dealing with a complaint. If you are building a new online form to take nail salon bookings, you shouldn’t be asking customers to enter their favorite food unless you are going to give them that food during their appointment.
It should also be easy to opt out and get copies of whatever data a company holds on you.
GDPR makes it possible for people to move their data between companies. For example, if you had a no claims discount on your car insurance, you could move your complete car insurance history from one provider to another, in the hope that they would take your prior driving experience into account.
GDPR is a wide-ranging piece of regulation that affects many elements of how data is kept and used, and how companies need to share information with you about that. Check out what your government regulator has to say about applying the standards, or for good quality information in English, the UK’s Information Commissioner’s Office is a solid place to start.
The prediction is that GDPR-style data privacy will be debated by lawmakers around the world. These regulations, or something very similar, could soon be coming to your country.