The EU's General Data Protection Regulation (GDPR) has been touted as one of the biggest changes to data protection and privacy legislation in years, and now that it's fully in force, the chances are it is resulting in a wide range of changes to how you do business.
Even if you're not based in the EU, GDPR is likely to impact on how you do business. Every company that holds personal data on EU citizens will need to follow its terms. Some publishers based in the US have sought to avoid this by simply removing access to their sites for EU-based IP addresses, but for most businesses, GSPR is something they will have to have clear plans in place for.
But while GDPR requirements will demand that key processes are evaluated for compliance, the legislation will also have an impact on how you do everyday office tasks, both large and small. So here are a few examples of how the new environment affects office life.
Getting opinions on hiring
In the past, it may well have been common practice to share a potential new hire's CV within the office in order to get a second opinion. But most of the details contained in a CV will be classed as personal data, so it can't be shared unless the recipient is relevant to their role. However, you can still do this if the CV is completely anonymized and stripped of any identifiable information such as names and contact details.
Calling in sick
Your employees' health information is obviously highly personal data, so if you or someone on your team has to call in sick, the details need to be kept solely to those with a genuine need to know. This means you shouldn't reveal the exact nature of the medical condition to colleagues - just saying they are unwell is enough.
Auditing and managing your data is a task that every office will have to deal with sooner or later, but you need to make sure the people doing it are approved to have access to the data. Every company now needs a designated individual to be responsible for data protection matters, whose role is to train staff on their responsibilities and manage processes such as audits.
Planning office events
The next time you're planning an office party, you'll probably need to collect data on issues such as dietary requirements and allergies to ensure everyone gets what they want. But this is again important personal data, so you'll need to make sure you have everyone's permission before sharing it with a caterer or restaurant.
Celebrating birthdays and Christmas
If you've set up a group calendar that shows when everyone's birthday is, you might have to think again. People's dates of birth are critical personal information - after all, it's usually among the key security questions companies ask for when verifying someone's identity, so you'll need to have everyone's express permission if you're doing this. Similarly, sending cards to customers at Christmas may seem harmless, but unless they've given their specific consent to contact them, this is likely to be a GDPR breach.
It may seem as if GDPR is adding unnecessary headaches to some of these everyday interactions, but you can't afford to treat the legislation lightly, or be casual with any personal data, even if you think it isn't a major issue to share it. With more people taking privacy and consent seriously, there could be big repercussions for failures in this area.