Recently, there has been a lot of talk at my company about the General Data Protection Regulation (GDPR) that was passed in the EU and goes into effect on May 25th of this year. It affects any business that has customers in the EU and our company definitely qualifies. Basically, what this means for me is that I have to be a lot more thoughtful about the information that I send and receive every day, whether I keep it or not, and for how long. When I first heard about GDPR I freaked out a little bit because a company can be fined a lot of money if they are not in compliance, and there is even talk of “random auditing,” to be sure employees are in compliance. After reading into it, attending departmental meetings, and reevaluating my own business practices, I realized that it’s really not that big of a deal at all.
I deal with personal information every day because I’m an editor: I receive PDF proofs from authors and I have their contact information. No, this information doesn’t include their credit card or financial information, but I do have access to their names, email addresses, work institutions, etc. I’ve never really thought about all of that as “personal information” before because, technically, it’s publicly available once it’s published (or at least available to those who subscribe to this particular publication). I’ve started thinking in a new way about how I communicate and with whom, and how I organize and store the information I receive from authors.
On one hand, this has made me much more organized: I have set up “retention policies” in my Outlook that will hold on to certain emails for a specific length of time, then will automatically delete them. I’ve also adopted a policy similar to the one I use when I clean out my closet: “Have I looked at this in the past 6 months? A year?” If the answer is no–it’s out. On the other, it’s made me more aware of people’s information and how I use it on a day to day basis. Is the way I’m using it secure (ie, should I email this as an attachment or can I send it via a secure ftp or something like Hightail?) or am I compromising this data?
The specifics can be downright complicated, but I think the spirit of the law is a good one! Is anyone else dealing with something like this in their workplace?