GDPR Compliance in Spreadsheets
Europe’s General Data Protection Regulation (GDPR) is a new law governing data protection and privacy for citizens of the European Union. Its aim is to give individuals control over their data and simplify existing regulations. GDPR becomes enforceable on May 25th 2018 and companies that are found to not comply with the regulation can be fined up to €10 million or 2% of worldwide revenue. Spreadsheets are the least controlled data repositories for the most companies and are therefore the most prone to be non-compliant with GDPR regulations. In this article, we will give you recommendations to manage GDPR compliance for your spreadsheets.
What data is covered under GDPR?
The regulation applies to companies that are located in the EU or that control or process data of people located in the EU. GDPR covers all personal data which is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
What are the responsibilities of data controllers and processors?
Data controllers must implement protective measures for personal data. This includes “pseudonymizing” personal data as soon as possible, so that data points cannot be linked to a persons name or ID. Further, data may not be processed unless there is a lawful basis to do so. A lawful basis includes the explicit consent of the data subject, for legal compliance, and to perform a contract to which the data subject is the party, among others.
How does this impact the governance of spreadsheets?
Virtually all companies either store in, or download their data to, spreadsheets for analysis and reporting. Frequently this means it leaves a controlled environment (such as an ERP) and goes to an uncontrolled environment (e.g. a spreadsheet which can be freely shared among colleagues and others). GDPR does not prohibit your company from storing personal data, it requires that you have proper controls over it, including knowing what information you have, where it is stored, and whom has access. The steps to ensuring your spreadsheets are GDPR compliant are:
- Know which spreadsheets contain personal data
- Delete spreadsheets that are not essential to day-to-day operations
- Restrict access to said spreadsheets to only those that need to know
- Routinely repeat steps 1-3 to assure that you are in constant compliance
How can Sheetgo help you achieve GDPR compliance in spreadsheets?
Sheetgo’s enhanced Scan Sheets feature can scan all of the spreadsheets on your Google Drive, read all of the tab names, and header names (we don’t have access to any data in your spreadsheet that is not in the header row), flag sheets that potentially have personal data and inform you of all users inside and outside of your domain that have access to said sheets. Request your free report by filling out the form below: