GDPR compliance: Six months to go
Over the next six months, Managed Networks in association with Securys will run practical advice columns on how to comply with new data protection laws starting on May 25, 2018. Managed Networks founder Ben Rapp looks at the first step: understanding what you do now
Start by working out what data you have. Work through department by department: ticketing, marketing, development, HR, bars and merchandise, hospitality, production. In each case, you’re looking for every piece of information you have about individual people: employees (permanent and casual), customers, patrons, prospects, performers…
Some of the information will be in organised databases – your ticketing system, your payroll, your CRM. Some will be in spreadsheets, in emails, on paper. Some will be in external systems provided or managed by others. Your first step is to record what you have and where it is – which includes both which systems it’s on and where in the world they’re hosted.
Once you know what you’ve got, work out what you do with it and why. Think about the life-cycle of data: someone buys a ticket; you send the tickets out; send a pre-show email; admit the customer; send a post-show survey. Then it moves to your marketing database, and is used for email and research. How do you select customers to email, and how long you keep their data; how else is their data used?
You also need to record why you think it’s okay to process the data in each case. Is it because you have to, because they consented, because you’re trying to fill your auditorium and you can’t do that without marketing? If they consented, what exactly did the consent say at the time?
These are just examples; don’t forget that data about staff and performers is as important as customers and marketing prospects.
Data often travels. You may get it from someone else; you may send it on. You may also store or process it in systems you don’t operate yourself – like a hosted ticketing system, an email marketing tool or an online payroll program.
You need to list all of this and, for each one, work out what agreements apply – including all those words in the one-inch-square box you ticked “I agree” to when you signed up. Remember that if you don’t have an agreement in any particular case, that’s also something you need to document.
Policies and procedures
We’re almost done. Your next step is to review all your internal policies and procedures that touch on information security. It could be a long list – or it might be very short indeed. Right now you need to put them all in one place; you also need to find out what your staff know about them, and whether the policies you have are being followed or not.
Finally, you need to look into your IT security. How good is it? Who’s responsible? Have you – or your IT provider – done anything to check how secure you are? Do your support contracts say anything about security or offer any guarantees or indemnities? Have your staff had any IT security training?
Next month, we’ll look at how to use all this information to work out whether you’re compliant with the GDPR (and with other regulations, such as ePrivacy). We’ll highlight common areas of concern, and explain some of the rules about sensitive data.
Can’t wait? Get in touch with us on firstname.lastname@example.org