I’ve been asked the same question a lot lately,
Q. “Is my form/spreadsheet/database/system GDPR compliant?”
A. Well, unfortunately it’s not that simple, a spreadsheet itself cannot be GDPR compliant but there can sometimes be parts of it that stick out that would make it non-compliant. GDPR compliance is more about the treatment of the data and the processes that use it so we suggest you consider the process as a whole and this should include where you process and store that data (your spreadsheet). First, I always encourage individuals to read the ICO guidance pages on their website around GDPR, they are very good and explain a lot of the detail with real life examples. In particular their “GDPR: 12 steps to take now” document is excellent and should mostly answer this problem for you. Second, if you really want to understand GDPR (and get it right), you should consider reading and highlighting relevant parts of the full text and saving an electronic copy in your favourites (it’s only ~140 pages long!).
As a quick reference, here’s a short list of considerations for your process (which includes your form/spreadsheet/database/system) which will help you understand how close you are to compliance:
1. Do you understand (and have you mapped) the full, end-to-end data flow for this process, including data subjects and third parties? (How can you be safeguarding your data if you don’t know where it is!)
2. Do you understand (and have you documented) your legal basis for processing this data? See Article 6 of the GDPR.
3. Is your processing restricted to/in line with the reasons for which you gathered this data?
4. Are you ensuring that individuals know what you are doing with their data? You’ll need an accurate, GDPR compliant privacy notice at the point of data collection.
5. Are you only gathering the data you need for this process? You need to ensure that you are not collecting superfluous information i.e. if you only require feedback on a presentation do you really need to collect the name and age of each individual? Maybe just an age group would do.
6. Where decisions are made based on this data are you confident that it is accurate, up to date and of sufficient quality to make this decision?
7. Are you following a clear retention policy for your data based on good business requirements?
8. When requested, can you provide a copy of, amend, erase or restrict access to a subjects data? This is not an absolute right and there may be instances where you will not need to i.e. to comply with your legal obligations.
9. Are you confident that your data is appropriately safeguarded? You should consider firewalls, user access management and potentially encryption.
10. Are you confident that there are controls in place to ensure that any third party processing this data will give it the same level of protection that you have? (where applicable)
11. Does all your data remain in the EEA? Where it does not remain in the EEA you will need to take steps to ensure adequate protection is in place. (Consider use of 3rd party software hosted overseas)
If you have answered no to any of these questions then your process may not be GDPR compliant and you should seek further advice.
Finally, the GDPR silver bullet: Do you really need this data? If you do, do you need to be able to identify the individual? If you can erase this data (where it’s not needed) or anonymise it so that an individual can no longer be identified then this data will no longer be protected by the GDPR. I often find that when I ask people why they need data they can’t give me a solid answer and they slowly come to the realisation that maybe they don’t need the data or that is can be anonymised, this is always the safest option with personal data!