Time for a data spring clean to ensure GDPR compliance

Written by Caroline Houlden, Digital Marketing Manager, Fordway.

The Information Commissioner’s Office (ICO) has now begun to show its teeth by handing out fines for GDPR breaches. It’s to be hoped that no-one reading this article is as cavalier with data as London pharmacy Doorstep Dispensaree Ltd., which was recently issued a fine of £275,000  by the ICO after an inspection by the Medicines and Healthcare Products Regulatory Agency (MHRA) found that it had stored approximately 50,000 documents containing personal data of UK citizens in unlocked crates, disposal bags and boxes in a rear courtyard.

What makes this case interesting is that it suggests the ICO is looking at more general GDPR compliance issues as well as large security breaches. So it’s a good idea to review your organisation’s compliance regularly. 

Marketing departments have been strongly impacted by the GDPR, as they depend to a large extent on data held on prospects and customers. The ICO has a track record here – shortly before GDPR came into effect, it fined EE £100,000 for sending over 2.5 million direct marketing messages to its customers without consent.

The CRM system provides the hub for contact information and for many organisations is where much of their PII resides. GDPR policies should ensure that records are regularly maintained and data remains compliant, and these should be embedded in your daily operations, but a regular review is vital to ensure the demands of business as usual have not led to bad practices. Your review should consider data handling against the six principles of data protection: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.


Review against six key principles

As part of GDPR compliance, most organisations will have ensured that their data collection policies were lawful, fair and transparent, so hopefully this is a given – provided those policies are being adhered to and remain fit for purpose.

Under data minimisation, could you be inadvertently gathering data that’s not needed? Similarly, under purpose limitation, are you certain that the information you’re storing still has a purpose? If something has changed e.g. you no longer offer certain products or services, you need to delete relevant information and update your Privacy Policy accordingly.

You also need to ensure you’re accurately storing the source of your data. If you’ve received any Subject Access Requests, review them to check whether your response was adequate or to identify any problems with data sourced via a specific channel.

Much of the business data that your organisation holds may be in the public domain already, particularly if you work in the B2B space. However, that isn’t enough; you must have an efficient process for recording the source and your interest in these contacts, particularly if you are relying on legitimate interests. We’ve received enquiries from individuals who have previously consented to communications asking where we got their data from, highlighting the importance of storing the source of PII data. Should someone complain, you need to be able to remove them immediately and have a process for logging and tracking these requests.

If your organisation handles consumer data, GDPR compliance is even more vital. If you’ve contacted an individual to market products or services which they haven’t asked for, this is intrusive and a clear breach of the regulations. Individuals now have a much greater awareness of their data protection rights and will be quick to hold your business to account if you make a mistake. 

Data accuracy can be a difficult issue. Under GDPR you must ensure you take ‘every reasonable step’ to remove or rectify out of date data. So if one or more records have not been accessed or updated in a certain amount of time, you could consider setting automated flags to ensure you inspect the records further and initiate whatever activities are needed to manage the updates effectively. If you identify any dead records, it’s a good idea to remove them.

Under the principle of storage limitation, you should remove data which is no longer necessary. You should have put in place time periods and mechanisms for deleting records, but if this is being managed manually you should review processes to see if there is a way to flag and/or automate data for removal.

Finally, under integrity and confidentiality, it’s important to review the measures your organisation is taking to secure any PII it holds. For example, have you encrypted or pseudonymised personal data wherever possible? Are you confident that data is not creeping off your systems into spreadsheets on unsecured BYOD devices or memory sticks? It’s worth spot checking across your organisation to ensure no unhealthy behaviours have crept in.


Ensure policies are adhered to

Once an organisation has put policies in place, it’s easy to assume that everyone is following them. However, even organisations which have deployed measures such as Data Loss Prevention and encryption to support compliance need to benchmark activities against best practice. 

In our experience, gaps can quickly develop as the focus of the business moves onto new areas and people at all levels take short-cuts to meet deadlines and deliver results. So why not initiate a spring clean, beginning by inviting all your data owners to a meeting to train, review progress and troubleshoot any issues? With fines of up to €20m or 4 per cent of annual turnover for those who breach the regulations, it’s better to be safe than sorry.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.