Project Management

Please login or join to subscribe to this thread

What do you think? Stakeholder Analyisis and General Data Proetection Regulation. Is there any conflict?

linkedin twitter facebook  
avatar
Stergios Damianos MBA, PMP, CBAP, PMI-RMP Thessaloniki, Greece
Project stakeholders are individuals and organizations that can affect or can be affected as a result of project execution or project completion.
When identifying individual stakeholders we collect and process personal data and other kind of data so we can analyze and assess their needs, interests power, influence etc.
The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
According GDPR a processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects (individuals) have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.
Sort By:
< 1 2 >
avatar
Eric Simms Senior Program Manager Baltimore, Maryland, United States
First, how does the GDPR define 'personal data'? To me that term might include one's name, phone number and address, and even more sensitive data such as social security number, age, relationship status, and so on.
Assuming the GDPR's definition resembles mine, why would you need to gather personal data to identify stakeholders? What types of projects are you working on that would require stakeholders' personal data to be collected? For my Information Technology projects I usually gather a stakeholder's name, position title and business division, then I write down their interest in the project.
avatar
Stergios Damianos MBA, PMP, CBAP, PMI-RMP Thessaloniki, Greece
Eric,
According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address.
Unless a data subject (e.g stakeholder) has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so.
Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject (stakeholder); an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user.
avatar
Thomas Walenta Global Project Economy Expert Hackenheim, Germany
Stergios, agree it is a problem a project manager needs to be aware of and deal with. At least in Europe, but globally if the project touches data from European customers/stakeholders. Most companies have a GDPR person who should be involved, for the project it would then be another constraint and EEF.
avatar
Stergios Damianos MBA, PMP, CBAP, PMI-RMP Thessaloniki, Greece
Thomas thank you for your valuable contribution.
I agree that it would be another constraint and EEF.
I am just thinking that this EEF adds complexity and affects the substance of a couple of project management processes!
avatar
Thomas Walenta Global Project Economy Expert Hackenheim, Germany
Agree Stergios. The question for me is if this compliance issue has to be handled on project or organization level like other compliance issues. If the organization handles it, they should provide guidelines and support, even make sure it is handled centrally. A project normally is not a legal entity that can be prosecuted.
avatar
Justin Gregson Business Process Excellence Consultant/ PM| Covance Cambridge, United Kingdom
I'm late to this thread, but I have similar concerns to Stergios. As such I've shied away from keeping a detailed stakeholder analysis over the last 12 months or so, however I'm now approaching a situation where this will likely bite me in the back. Now GDPR has settled in a little bit, it's plain to see that interpretation of these regulations still varies widely between organisations. I think this example is particularly important because a stakeholder analysis is probably about the most generically inflammatory document in our arsenal. The only solution I can think of is to rely on detailed meeting minutes for a log of stakeholder interaction and keep the rest in your head.
However, meeting minutes could also be classified as personal data. I can't imagine handing out forms containing an option to opt-out of being included in minutes. Similarly an email sent referring to a person could also be classified as personal data. To a degree, use of that which is defined as "personal data" under GDPR is a requirement of the job - for example, you wouldn't refuse to give your name at a job interview or to payroll. Perhaps the way to do this is to cover it contractually in the terms and conditions of employment. I would be interested to hear how you or anyone else is dealing with this in 2020.
avatar
Stéphane Parent Self Employed / Semi-retired| Leader Maker Prince Edward Island, Canada
Personal information has to be accurate and precise, therefore objective. By and large, your stakeholder analysis will contain subjective information. I touched on that topic in my blog post, Resourcing your presentations.
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
You do not need need to get personal data when performing project stakeholder management. If somebody is doing that then it is performing something more than project stakeholder management.
avatar
Kiron Bondale Retired | Mentor| Retired Welland, Ontario, Canada
I'd agree with Sergio on this. Identification & analysis of stakeholders who are individuals (as opposed to groups, companies or other entities) should not require much more than their name and role as it relates to the project.

However, when we get to activities such as communications planning, if there is a need to gather more personal data such as their address, phone number, online contact information and so on, that may cross the line into the jurisdiction of privacy regulations.

Kiron
avatar
Thomas Walenta Global Project Economy Expert Hackenheim, Germany
Well, as soon as you analyse individual stakeholders, you are gathering data about them, like their interests, power, requirements and you derive information about them.

You develop strategies to influence them to support your project or at least be fenced off to disturb it.

You probably look at their public profiles, extract what you need. You have their email, phones, and you monitor your engagement with them like feedback, meeting attendance, issues etc.

This information as a total is highly sensitive and you do not want to share this with them. Think it could qualify as personal data, at least the data gathered.

Ask your GDPR specialist.
...
1 reply by Tim PM
May 18, 2020 8:03 AM
Tim PM
...
Agreed, in our organisation even a system that just records names has to have GDPR approval
< 1 2 >

Please login or join to reply

Content ID:
ADVERTISEMENTS

"The good die young, because they see it's no use living if you have got to be good."

- John Barrymore

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters