Are Spreadsheets GDPR Compliant?

I have been asked a few times if my spreadsheets are GDPR compliant. Instead of explaining this again, I thought I’d rather write this post instead. So, if you’re wondering if spreadsheets are GDPR compliant, read on.

I think this question comes from fear, which has been generated by some software companies who are marketing their software as ‘GDPR compliant’. Now people are afraid of anyone who doesn’t shout about being compliant. The bottom line is this. Software can not make you GDPR compliant. It can make you fall short, but it can not ensure compliancy.

The aspects of GDPR which affect software are things like where the data is stored, who has access to the data, how secure the data is, how the data was collected, and what the data is being used for. When companies say that their software is compliant, what they are saying is that they have the data stored securely, and in the EU (if in fact it is in the cloud), and that you have the necessary control over your data to be compliant. You could have two businesses using the same software, one is compliant, and the other not. It is not the software that makes you compliant, it is your practices when it comes to using the software. The software can prevent you from being compliant, for example if it is hosted somewhere outside of the required borders, so there are some criteria which need to be covered.

So how does this affect spreadsheets? It doesn’t. It affects how you use the spreadsheets, but spreadsheets themselves are neither compliant, nor non-compliant. Look at the above reasons. Where are your spreadsheets stored? Well, that is up to you. How secure are they? That is also up to you. How was the data collected? That is up to you, too. What is the data being used for? Again, up to you.

So here is the bottom line. Spreadsheets are a tool for your business. Make sure you have good policies in place, which your clients understand, and which you stick to. Make sure your data is secure, and that you have control over who accesses it. The spreadsheet itself is just a tool to help you run your business. It is your business which needs to be compliant, not the spreadsheet.

I hope that is clear. I will leave you with this. There are lots of scare tactics being used over GDPR to try and sell products. Get your head around what you need to do, and do it the best you can. I believe that the ICO are genuinely trying to make sure that all of our data is more secure, and not just trying to find people to fine. Don’t impulse-buy just because someone says they’re compliant.

Have a good day.

Richard