Spreadsheets and the risk to GDPR compliance.
The head of the organisation is responsible for demonstrating compliance. While some sole proprietors may find little risk in the use of spreadsheets, they are certainly in the minority.
Using spreadsheets for compliance may increase the risk of non-compliance in your organisation. Many accountants will tell you about the security nightmare that is spreadsheet-accounting. And now, the GDPR introduces another dimension; privacy.
Security of processing
The principles of confidentiality, integrity and availability of data prevail, regardless of the type of processed data. The GDPR’s provisions for security of processing underpin these principles by instructing the controller and processor to implement appropriate technical and organisational measures which include:
- the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data on time in the event of a physical or technical incident
The attractions of using a spreadsheet as a tool are many.
- Ease of use. They’ve been around for a long time.
- Ease of access. Default installations or freeware.
- Ease of replication. Copy, paste, email, done!
But they can be the source of nightmares for any IT security manager.
How many spreadsheet users can encrypt a document containing personal data? How are they backed up and how easily can the correct versions be restored? Spreading them over many devices can severely impact their availability.
Privacy in processing
Most privacy legislation will include the aforementioned security principles and also the following. Let us appreciate the risk potential using these simple conversations.
Lawfulness, fairness & transparency
Basil: “Look, I downloaded our customer personal data. I profiled their preferences in this spreadsheet and sent it Abe’s Loyalty Services”
Susan: “Really, using which lawful basis? Did you know we don’t allow profiling in Accounts? We’ll need to clear it with Sales and get consent from the customers. Will they be able to easily opt out? Have you informed the data mapping guys or thought about updating our privacy notice?”
Susan: “When you talk to Sales, you’ll need to justify how the profiling is compatible with the original purpose for collection of customers’ personal data.”
Susan: “And this is way too much data – you don’t need the customer’s home address, identity number and health status for this exercise.”
Susan: “And don’t contact customers who are on our do-not-contact list.”
Susan: “You’d better make sure that you and Abe’s Loyalty Services delete these spreadsheets as soon as you’re done. It includes those hard copies I saw on your desk.”
A single and “innocent” download generating a slew of possible breaches. Now, picture the real-world scenario where hundreds of customers make data subject access requests. They’re not happy because no one consulted them. Their consent was never given and there was no option to opt out and, in some cases, to opt in.
At sixes and sevens, you, the CEO, cannot respond fully or timeously.
A complaint is laid. The supervisory authority calls. They want your records of processing activities report and the processor contract with Abe’s Loyalty. As well as evidence that proves your employees’ awareness of their roles in data protection. And your current privacy notices…and…and. Your response? “Um, it’s on a spreadsheet, on a flash drive which I left at home.” Surely, it’s all downhill from there?
What about your GDPR compliance management?
It’s extremely unlikely that spreadsheets are the solution. You need a single source of truth, available 24/7. An integrated, easy to use solution, providing comprehensive coverage at a competitive price. One that enables collaboration, by informing stakeholders of their data protection responsibilities as well as tasks assigned to them.