Where's my data?
I've had to change my plans because one of the tools I was planning to use doesn't work with the GDPR. Here's what I found out.
There's been a change of plan. Having settled on Directus as the tool I was going to use, I ran into an issue. I found I could use their standard self-hosted service and abide by the Data Protection Act and GDPR.
Before you go and read something more interesting, I'm going to share a bit about how I make sure that my work treats peoples data properly, without a huge amount of effort, and how you can do the same. I'll also share what this means for the approach I was taking before, and what I'm changing.
Information matters
Being compliant with the GDPR isn't just something for big businesses. Every organisation - including non-profits - need to make sure they're handling people's data properly. Even those who are exempt from registering still need to abide by the law about how they're handling personal data.
So what exactly is personal data? It's any information that could be linked to a specific, living person. It doesn't have to be directly or explicitly, as long as that data could point to someone. There's also special category data, which needs to be handled even more carefully. If you work with any vulnerable stakeholder groups, this should be a really high priority.
The GDPR covers EU, EEA and UK citizens (at least at time of writing), so if you do business with anyone from these places, you need to be doing this. And we're using more and more services in the cloud, we need to make sure these are covered too. One often-overlooked aspect of this is that the GDPR covers employees, too, not just customers.
The basic principles
There are so many different ways that we use and store data, it can be hard to figure out what to do. Here are some guidelines I like to use when thinking about this at all.
- Be clear and transparent about what purpose you will use people's data for. And make sure it's documented.
- Collect the minimum data necessary to do that. Don't collect anything "just in case".
- Make sure you have lawful basis to collect that data.
- Make sure that data is protected securely wherever it happens to be.
- Delete data when you no longer need it, or when you are asked by the person who the data is about, whichever is sooner.
If you do this for all the data you collect then you have nothing to worry about from the GDPR! And more importantly, you're looking after everyone's data well.
Getting the basics right
There's a big "if" in the previous paragraph; figuring out what those principles mean in practice can be tricky. For most small businesses, though, these steps are a good start:
- Make sure you use strong, unique passwords for all your different services (use a password manager). Make sure those you work with do too.
- Don't share accounts. Use sharing permissions to give access to resources instead of giving others account credentials.
- Encrypt all computers, laptops, phones, and other devices that have people's data on them.
- Put a Privacy Notice on your website. The ICO has a good guide and template for this.
- Get a Data Processor Agreement with any third-party services where you store people's data. Include it in the privacy notice. Many of these are publicly published, though you may have to ask for one.
- Check the tracking and cookies your website uses, and warn people about it. If possible, stop tracking people.
A lot of businesses are doing most of this stuff already. The most commonly overlooked thing I come across is simply documenting it all, and sharing that.
My particular problem
If you've read my previous post about my plans for the site, you'll know I was intending to use Directus Cloud to store data. Unfortunately, the only way to get the Data Processor Agreement with them is to have an enterprise agreement, which is far move inovled and expensive than I need.
So, I have two options; self-host Directus, or use something else.
One of the great things about using open source software is that you can always run it yourself, instead of having someone else do that for you. Which you can do if you're technical, or you have a techie or two available to you, and want to spend the time and effort that way. For smaller projects, it's often not worth the effort, though.
In my case, it's definitely not worth the effort. So I'm doing something else. In the short run, I'm not going to store data in the cloud at all, it's just going to be on my local computer. In the longer run, I'm going to look at integrating with a cloud data tool like Baserow, Microsoft Lists, or Google Tables (when it's released). Which should make things a bit cheaper and easier to develop, and I can always add more features later!