The head of the organisation is responsible for demonstrating compliance. While some sole proprietors may find little risk in the use of spreadsheets, they are certainly in the minority.
Using spreadsheets for compliance may increase the risk of non-compliance in your organisation. Many accountants will tell you about the security nightmare that is spreadsheet-accounting. And now, the GDPR introduces another dimension; privacy.
The principles of confidentiality, integrity and availability of data prevail, regardless of the type of processed data. The GDPR’s provisions for security of processing underpin these principles by instructing the controller and processor to implement appropriate technical and organisational measures which include:
The attractions of using a spreadsheet as a tool are many.
But they can be the source of nightmares for any IT security manager.
How many spreadsheet users can encrypt a document containing personal data? How are they backed up and how easily can the correct versions be restored? Spreading them over many devices can severely impact their availability.
Most privacy legislation will include the aforementioned security principles and also the following. Let us appreciate the risk potential using these simple conversations.
Basil: “Look, I downloaded our customer personal data. I profiled their preferences in this spreadsheet and sent it Abe’s Loyalty Services”
Susan: “Really, using which lawful basis? Did you know we don’t allow profiling in Accounts? We’ll need to clear it with Sales and get consent from the customers. Will they be able to easily opt out? Have you informed the data mapping guys or thought about updating our privacy notice?”
Susan: “When you talk to Sales, you’ll need to justify how the profiling is compatible with the original purpose for collection of customers’ personal data.”
Susan: “And this is way too much data – you don’t need the customer’s home address, identity number and health status for this exercise.”
Susan: “And don’t contact customers who are on our do-not-contact list.”
Susan: “You’d better make sure that you and Abe’s Loyalty Services delete these spreadsheets as soon as you’re done. It includes those hard copies I saw on your desk.”
A single and “innocent” download generating a slew of possible breaches. Now, picture the real-world scenario where hundreds of customers make data subject access requests. They’re not happy because no one consulted them. Their consent was never given and there was no option to opt out and, in some cases, to opt in.
At sixes and sevens, you, the CEO, cannot respond fully or timeously.
A complaint is laid. The supervisory authority calls. They want your records of processing activities report and the processor contract with Abe’s Loyalty. As well as evidence that proves your employees’ awareness of their roles in data protection. And your current privacy notices…and…and. Your response? “Um, it’s on a spreadsheet, on a flash drive which I left at home.” Surely, it’s all downhill from there?
It’s extremely unlikely that spreadsheets are the solution. You need a single source of truth, available 24/7. An integrated, easy to use solution, providing comprehensive coverage at a competitive price. One that enables collaboration, by informing stakeholders of their data protection responsibilities as well as tasks assigned to them.