The new general EU Data Protection Regulation (GDPR) will become a binding law at end of May this year. The aim of the regulation is to establish greater control over the handling of personal data.
As project managers, we must be aware that personal data may also be handled within projects, especially with respect to project communication and documentation as well as other areas that may be impacted. To comply with GDPR, we must be more conscious of personal data handling in project management via a more strategic and systematic approach to collecting and storing data. Informing and collecting consent from individuals about the collection and processing of their personal data may also be required where applicable by the regulation.
I co-authored the paper Project management and GDPR that was presented at the Slovenian Society Informatika annual conference in April 2018. In the paper, we state that in addition to process and awareness, project managers must also ensure that the project management software that they are using complies with GDPR. We should review features of the software such as whether personal data is stored securely.
Some aspects of project management that are worth reviewing with respect to GDPR also include:
- Define the minimum amount of personal data that is required in order to efficiently manage the project and determine the amount of time that they must be stored in future.
- In projects where the scope of the project includes some form of personal data analysis, we must ensure that GDPR compliance is achieved in the form of a clear understanding of the analyses that will be performed and having adequate consent to do so.
- Project resource cost should not be disclosed per person, but rather by role in order to protect personal data, unless adequate security and need-to-know basis is in place.
- When communicating with the project team, consider who must be informed and do not include personal data such as email addresses when not required.
- Projects where personal data is handled as part of project scope should have adequate risk management in place to handle GDPR regulation.
- When subcontractors have access to personal data related to the project, we must ensure that GDPR regulation is followed by the subcontractors as well.
- In some projects where personal data is handled, a data protection officer may be required and must therefore be included as a project stakeholder.
GDPR will require a broader awareness of handling personal data, stricter data security governance and sufficient management of access rights. As project managers, we are responsible for adherence to all required regulations.