What to look for in project management software: Data privacy edition
| Over the past few articles I’ve talked about different aspects of data privacy and how that links to project management deliverables and the ways of working for the team. One of the big things that we use as project managers is our software, and often we’re involved with selecting new tools or upgrading existing tools. In this article, I wanted to point out a few things you should be looking for in your PM tools to make sure that you’re having the right conversations about whether they are secure enough for your data. I’m sure your info sec teams will also have a lot to say, so use the content below as a starting point for a discussion, not a replacement for guidance from your internal teams!
Access control and permissionsEnsure that the tool allows for granular control over who can access sensitive data. Role-based access control (RBAC) is essential for minimising the risk of unauthorised access. What this looks like in practice is that you might have one person on the team with admin or ‘override’ permissions, and everyone else just enters the data. In one company I know, the workflow pushes a project between stages. While it’s going through the approval process, no one can edit the data. That’s good because it means all approvers are seeing the same thing, but also a bit annoying if you’ve accidentally left something out or there is another very valid reason for needing to add another attachment, for example. Admin users could have the power to make changes while a record is blocked for editing by ‘normal’ users, but it’s a power to use very carefully! Data encryptionVerify whether the tool provides end-to-end encryption for both data at rest and data in transit. This ensures that data remains secure even if intercepted, which is important for software that is hosted in the cloud, or for financial information. I don’t know why you’d need information like bank card records in a project management tool, but even your business case information should be company-confidential and you wouldn’t want it accessible in case of a data breach. Data storage and backupAssess where the data is stored and whether that meets your requirements. For example, in the UK there are rules around where patient data is stored in the healthcare industry – we couldn’t have certain data stored in off-shore data centres, for example. Check out your regional data privacy laws. Again, project management software isn’t going to have the kind of sensitive, personal information that’s on the same scale as medical records, but you still want to be sure it meets your company’s policies for storage. The same goes for backup. However good your internal systems and however reliable your supplier, can you get the data back when there’s a problem? Audit logsThis feature is so helpful in the project management software that I use. It’s great to easily be able to see what changed, when and who changed it. Check if the tool has built-in auditing and tracking features that allow for monitoring access to data and changes to project information. And if it does, who has access to see the audit logs (I’m a believer in transparency here – why not make them available to everyone?). CertificationsIf you’re using software that you’ve bought in, check to see if it (or the company that makes it) has any data or compliance-related credentials like ISO 27001, SOC 2, or EU-U.S. Privacy Shield, which indicate that the tool has passed rigorous security and privacy assessments. That’s not an exclusive list, but you can use the ideas above as a starting point for thinking about the requirements for data security and privacy for your project management software. What did I leave out? Let me know in the comments! |
Training teams on data privacy best practices
| One of the major risks facing our projects today is data – and all the problems that can arise when the wrong data falls into the wrong hands. Even if nothing malicious happens with the data, the fact there was a breach can lead to reputational damage and fines. And no project manager wants their project to be the one where data leaked out. So we work on making sure data privacy best practices are built into the way projects are delivered. Mostly, data privacy regulations are baked into internal processes and policies, but it never hurts to have a reminder. Here are some things you can do to foster a culture of data privacy awareness in the team, so they automatically (hopefully) consider data privacy when they are working out work packages and activities.
Start with cultureBuild a culture of data privacy. Lead from the top and make it expected that privacy is just ‘how things work around here.’ Make data privacy a part of the team’s daily routine by integrating best practices into everyday project management tasks, such as reviewing documents, storing information, and sharing data. For example, think through who has access to what data, and who gets permission to delete it. I had an interesting discussion with some German colleagues recently who shared that the data privacy laws there are so strict that you can’t ask employees for some information, which must make some aspects of performance reviews, feedback, celebrating birthdays and employee satisfaction surveys really difficult! (If you’re based in Germany, let us know your thoughts in the comments below, or if your country has similar restrictions, tell us about them!) Offer formal trainingIf your company offers mandatory data privacy and security training programs for all team members (and they probably do) make sure everyone does the modules. It’s usually e-learning and not onerous, but that also means that people have a tendency to skip to the test or assessment part without actually paying that much attention to the training. However, it’s the minimum people need to do. This training will most likely cover topics like identifying sensitive data, safe data handling practices, and understanding legal requirements – all things you need to have top of mind for projects. Work through examplesUse your team meetings to work through practical scenarios. Use real-world examples or case studies, for example, internal projects or projects in the media in your industry, to illustrate the importance of data privacy and the consequences of non-compliance. Ask the risk management team if they could write some scenarios for you to discuss and add them to your team meetings a way of upskilling. Set clear data handling guidelinesYour company might already have overarching data handling guidelines, so you can lean into those, or set specific ones for your project if it’s data heavy. Guidelines should cover data collection, storage, sharing, and disposal. When you kick off a new project, ensure that every team member understands the policies and any other applicable laws. Stay on top of changesOne thing I’ve noticed in the 20+ years I’ve been managing projects is how often things change. Privacy law and data laws are changing all the time as technical advancements introduce different types of data and ways that it needs to be managed (AI and deep fakes being cases in point at the moment). Don’t assume nothing has changed since you last did a project with a big data element. Talk to your legal team and get the latest. Talk about the implications of non-complianceMake sure people are aware that it’s not a small problem if there is a data breach or non-compliant situation. Your company could risk:
And sometimes the individual might be liable as well as the organisation… so know what you are getting yourself into! |
Data considerations for your project
| Last month I looked at some of the basics for data privacy on projects. Let’s go into that in a bit more depth this month, by looking at some of the project tasks you can schedule to help manage data on your project within the regulations of your country, whatever they are.
The first activity you can schedule is data mapping. You might already have a customer journey or user flows or process maps. Can you add a swimlane for data on that? Or if necessary, create a new data map. The data mapping exercise should help you understand where, how, and why data is being collected throughout the project lifecycle and beyond.
Another task is creating DPAs with the relevant parties for your project. This is normally something you’d do as you contract with a third party, so lean into the legal or procurement team for support. A DPA is a document that outlines how data will be handled, stored, and protected. There is probably a template within your organisation already. Alternatively, the task is to check that DPAs are already in place, if the vendor is one that you use regularly. I like the kind of tasks that can easily be checked off! They help the team feel they are making progress and ensure that you are putting compliance at the forefront of your processes.
Schedule time to conduct due diligence on third-party tools and vendors to ensure their privacy and security measures meet your organisation’s data protection requirements. You probably won’t be doing the actual due diligence, so talk to your procurement or legal teams, or the data protection officer to find out how this will happen. Again, if your company already has a relationship with the third-party, the task here is to check that it was done at some point and does not need to be done again.
Make sure there are activities on the schedule that involve implementing strong security measures to protect project data. That could include setting up multi-factor authentication, data encryption, and secure access protocols. Generally, the IT team would have to take responsibility for doing these things or checking that they are already in place from a third party. Talk to them about the kinds of tasks that need to go on the schedule so they have enough time to put security measures live before the project launches.
Make time for data testing. For example, schedule penetration testing. Look through your risk register for risks related to data breaches or leaks and have mitigation strategies in place that you can test out. That might be checking you can restore from back up or testing security protocols for data access. Again, talk to your technical teams about what this might look like for your projects and put the time in for this work so it doesn’t get squeezed in at the last minute or forgotten about. All of these scheduleable (is that a word?) tasks will help you address any risks or issues relating to non-compliance and show that you are actively prioritising data privacy. Next time I’m going to look at training teams on data privacy best practices. Meanwhile, why not share your experiences of data on your projects in the comments below? Thanks! |
Data privacy for projects
| I don’t know about your projects, but the role of data privacy and information governance has certainly expanded since I started managing projects. Data privacy has become a critical concern for organisations globally, and you only have to look at high-profile cases in the media about ransomware attacks, data leaks and breaches to realise that we’re all only one potential hack away from a major problem. Is that on your risk register? It could be. Projects use or create a lot of sensitive data, depending on what industry you are in. Even if you aren’t dealing with medical records, your project probably includes some confidential company information for you or your clients. Even operational data could be sensitive if a competitor got it. Therefore, project management processes have to take into account data privacy standards. Meeting those are the basics. You have to maintain trust in your organisation and avoid exposing the business to significant legal and financial consequences. Non-compliance can result in fines and reputational damage, and there are plenty of cases in the UK, for example, where GDPR breaches have been heavily fined. In this article, we will discuss the key data privacy regulations that impact project management, how to assess your project management tools for compliance, and steps you can take to ensure your team handles project data securely.
Data privacy regulationsI know that readers come from all around the world, and privacy laws differ, so I’m not going to try to list all the relevant global legislation. Suffice to say that in the UK where I am based, GDPR is a key regulation. Where you are will no doubt have similar regulations on how personal data is collected, processed, and stored. The laws that I am aware of generally all have similar aims: to ensure data is collected for the right reasons, stored securely and disposed of appropriately, and that data subjects know what is being done with their personal information. Key principles of data privacyProjects should take into account how data privacy is going to affect the work of the project and deliverables. Generally (although I’m not a legal expert in your country’s regulations, so take advice from your information governance team), what you are looking for are the following. Data minimisationCollect only the data necessary for the project’s purpose. Don’t collect extra things because they would be nice to have or would help a future project. Work out what data is required for the purpose of this project, and that’s all you can have. Purpose limitationThis principle says that you have to ensure that data is used only for the purpose for which it was collected. In other words, if your project is collecting data for the purpose of processing a customer order, you can’t then use it for something else. Consent managementPeople need to know what they are consenting to and what you are going to do with their data. this is all about transparency. If your project is collecting data from people that you didn’t have before, obtain explicit consent for that. Mostly this will be covered off by any privacy notice you have on the site, or in your terms and conditions – so you must make sure your project links in with any existing consent management systems (or builds a new one if needed) Data securityNot surprising – if you need to build measures to protect data from unauthorised access, breaches, and leaks, do that, or tap into what already exists. This goes for user access too, so make sure only the right people in your company have access to data. Transparency and accountabilityKeep clear records of data handling practices and be transparent with customers about how their data is used. You may find this is already covered in existing terms and conditions or privacy notices, but always take advice from your legal or information governance team, or data protection officer to make sure your project isn’t introducing anything that would diminish existing processes or require new ones. |
