When and where you should consider data protection in new projects

In our last blog article we talked about how important it is to “bake in” good data protection practices to a new policy or project, because it’s painful trying to add it as an afterthought, in the same way as you can’t easily make fruit scones without adding the raisins at the same time as the flour and the other ingredients.

This brings up two further questions:

  1. What is a “data protection-related” project? And,
  2. How do we make sure data protection gets introduced at the right point?

So, what is a data protection-related project? In simple terms, it is anything and everything to do with collecting, using, analysing, sharing, storing or even deleting information that identifies, or can identify people.

Which sounds straightforward, but in my experience I’ve found a lot of people saying “but this isn’t personal data” when (to a DP geek at least) it clearly is. For some reason, a lot of organisations and teams seem to have a blind spot when it comes to what constitutes personal data.

If I was a cynical person I’d say it was because they want to (consciously or unconsciously) avoid having to deal with data protection, and the obstructions they fear might come with “doing” DP… Or to give people the benefit of the doubt, maybe there is a real lack of understanding about what data is and isn’t personal data.

Let’s brainstorm some of the projects and policy changes that could be going on that should be flagged up as involving personal data (and therefore needing to be risk assessed from a data protection angle).

It will of course vary by organisation, so you could start a list for your own organisation, but here’s a few ideas for starters:

Employees: Projects or policies relating to recruitment, equality & diversity improvement, managing absences, maternity/paternity/parental/adoption leave, employee benefits, performance management, pensions.

Customers: Projects or policies relating to signing-up new customers, equality & diversity improvement, feedback collection, complaints management, service delivery, order fulfilment, fundraising, marketing.

Social Housing: Specifically for housing associations, projects or policies relating to tenancy or shared-ownership applications, rent collection, repairs, ASB management, evictions, monitoring of energy use, offering advice services such as money advice or help to get into employment.

Basically, it’s anything that your organisation is planning to do or change, that involves any information that is about a person or people.

Get in touch and let me know if I’ve missed anything you think people need to be reminded about!

Our second question is “how do we make sure data protection gets introduced at the right point?” To go back to the scones, this is about making sure the raisins are taken off the shelf at the same time as the flour and all the other ingredients.

Unfortunately, this is less straightforward…

The first step is to communicate with as many colleagues who are involved in any of the projects or policies listed above (or anything similar), especially the decision-makers, and remind them that the chances are their project or policy involves personal data and so data protection risks should be considered right from the start. Remind them often, as often as possible, until people start approaching you themselves with their planned projects, and then you can stop chasing them!

The next step is to identify as many idea-making points in the organisation; where the ideas come from for new projects and for new or updated policies.

This could be senior management in general, or perhaps your customer services or HR teams. You might even have a research and development type team, a project management team and/or a policy team. If so, these are brilliant people to be friends with, as the DP lead.

Remember it’s the earliest stages of planning that you want to identify, not where the final sign-off of projects/policies happen.

Once you’ve identified the people and the places the ideas are coming from, you can recommend (strongly!) that they add prompts to consider data protection into all the relevant paperwork and systems, and onto the agenda of any meetings that discuss new ideas.

To convince your organisation that they should add these prompts and assess the risks, it’s important to highlight the benefits to the business of considering data risks, and of doing it early. We’ll cover this in more detail in a future blog, but just briefly some of the benefits include: increased trust and respect, better efficiency, improved customer service and reduced risks of causing people harm.

In our next blog we’ll explore ideas for those prompts, to make sure the data protection risks are being identified and measured in the most useful way.

If you’d like to know when that post is published, please click here to join our mailing list. You’ll also receive a free DP health check template, and tips on data protection.