by Jim Ashton | Oct 12, 2017
GDPR scaremongering is a ploy that is over-used and misleading. There are a lot of "expert" sources spreading near extinction level event scare stories about GDPR. Motivation by fear works. It makes people run away and act irrationally. As a business, running away and acting irrationally may not be the best way to make improvements and react to change.
Purpose of this document
This article is an antidote to GDPR scaremongering. It offers rational, constructive advice and opinion about implementing a successful GDPR structure that will get you over the line by May 2018.
- DPIA: Data Privacy Impact Assessment, a method to perform personal data risk assessments on processes and procedures.A DPIA is required in situations where data processing is likely to result in high risk to individuals
There is a lot of GDPR scaremongering based around getting massive fines to the point of bankruptcy and being thrown in jail for breaching the GDPR.
Let's get real. The GDPR is not an albatross around your neck. It is a unique opportunity to show that you care about the people who your business serves. They trust you with the goods or services you provide. They should also be able to trust you with the personal data that they give you.
Let's personalise it. Would you like it if you entrusted something valuable to someone else's care and they misused it? It's a closed question. You wouldn't.
The same applies to personal data. It is valuable and it should not be misused. Everything about GDPR comes back to one thing, its purpose.
The first article in the GDPR states that: "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."
There are extensions in the E-Privacy regulations, but I'm focusing on the GDPR.
The keywords in the purpose are protect personal data. That is your objective. If you can demonstrate to a regulator that you have taken this on board and tried to do something about it, there should be nothing to fear.
The GDPR is not an unknown. It is a fairly well thought out regulation than fits into a few concise boxes that deal with specifics about what data protection is all about.
- A general description
- Its principles
- An individual's rights to protection How companies should operate
- How to collect personal data lawfully
- How to process personal data lawfully
- How to transfer personal data lawfully
It also goes into the supervisory and enforcement structure that oversees the regulation.
Nothing scary so far.
These six points break down into a few key, discrete blocks:
- Managing external relationships controlling personal data flows into and out of your organisation
- Establishing a risk appetite based policy driven governance structure
- Establishing a GDPR framework operating model
- Appointing a Data Protection officer (or equivalent) to give advice, provide oversight and manage the supervisory authority relationship
- Documenting your processes and data use
- Establish transparency and individual's rights processes
- Periodic reviews to keep up-to-date with any regulatory changes
- Periodic reviews of any agreements involving data sharing or transfers
- Conducting risk assessment (DPIAs) if personal data processes or procedures change
- Periodic reviews of security measures
- Detecting and escalating suspected data loss (breaches)
None of these are beyond the wit of man and in many organisations, some will already exist.
For an initial effort, map and gap is the start. Review existing agreements involving data sharing or transfers. Review digital and physical security measures. Review operating manuals and any other documentation. From this you will understand where data enters and leaves your organisation, the veracity of your storage security and get a good idea of how data is used.
The main transformation is cultural. You will enable change through training. Make it personal. Educate people to treat other people's personal data with the same respect as they would expect their own to be treated.
The refrains: "Do as you would be done by" or "Do unto others as you would have them do to you" are the most appropriate.
I heat mapped the fines over the operational structure I designed for a client. The Head of Risk and Compliance (my boss) took one look and said, "training is the key".
Even the Information Commissioner's Office statistics show that almost two thirds of all breaches are caused by human error.
Going back to the key, discrete blocks you will see that they (in the main) are human based and structural. People need to know what to do. When they do, things generally work out OK.
The scary stories are over-blown. Anyone who has worked in compliance (and GDPR is very much a compliance issue) will know that if you show a regulator that you have taken a regulation seriously and made a best endeavour attempt to comply, they will be much more understanding than if you have not.
A little knowledge is dangerous as well. I have seen projects where every single computer record that has a "last amended by" indicator in it that shows an employee id or email address is personal data. I have been asked whether a wall board showing the names of previous company presidents and CEOs is now illegal because none of them ever gave their explicit written consent to be put on the board. I've been asked to interview for jobs where part of the effort for GDPR is detailed data lineage analysis.
Let us get a sense of proportion about GDPR and go back to protect personal data. Don't do stupid stuff with other people's personal data is the message.
- Establish the governance based on a risk appetite
- Establish the operating structure to process data and honour individual rights Establish the training
- Establish proportionate, risk assessed processing and storage security
Well trained staff working in a structured environment operating under risk based governance using data in a protected environment is your objective.
There are artefacts that should be kept. These are identified in a reasonable level of detail in the regulation and they will be natural outcomes of your implementation.
when you do implement you will be able to show everyone who has entrusted their data to you that you are respectful of their privacy and you will have a better understanding of how your business operates.
At a minimum you should be able to answer the following important questions:
- what personal data do we hold?
- where is it?
- what is it being used for?
- How secure is it?
To help you keep focused and stay away from some very appealing looking rabbit holes, bear the following four principles in mind for your chosen solution, it should be:
- Practical : easy to use
- Pragmatic : realistic and sensible
- Performant : as non-intrusive as possible
- Proportionate : risk appetite based
With the blessing of the company's CRO and Head of Compliance, I'm about to release a version 1 GDPR implementation into BAU on November 3, 2017. It has taken 6 months to create from scratch and it is based on the above.
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?