“Every ‘data controller’, and we generally know how wide that term is, is both responsible for compliance and now has to be able to demonstrate that the organisation is compliant. It is no longer sufficient to be compliant—you have to be able to prove it. That accountability is perhaps the most significant change that GDPR brings, given that the basic principles of protecting personal data in the EU go back a couple of decades. In the case of organisations with more than 250 staff the detailed responsibilities are more extensive. Even in small organisations the appointment of a Data Protection Officer is mandatory if it is a public body or processing large amounts of personal data for any reason.
It does not take a data breach to be found non-compliant. On the other hand, in the absence of case law, the general understanding is that the ability to demonstrate diligence in pursuing compliance will be sufficient to pass scrutiny, Pat Larkin, Ward Solutions
“A key area to examine and make sure of is the sources of the personal data, the purposes for which the information was obtained, the legal basis for processing and the expected retention periods. It must have been fairly obtained. In recent times, businesses have tended to regard marketing lists as valuable assets to be exploited. But if the personal data has not been fairly obtained or is being used for different purposes or by a third party, it suddenly under GDPR becomes a liability that could get the business into trouble,” Swanton points out.
“From now on, for a person’s consent to be valid under GDPR, it cannot be simply implied but requires a clear affirmative action agreeing to specific terms—not necessarily a signature but some positive mechanism especially online. Very importantly, there is no provision in the GDPR for ‘grandfathering in’ of data previously collected on the basis of implicit or ‘opt out’ consent. It must also be possible for people to withdraw consent and that cannot be more difficult that it was to give it in the first instance. These are types of nominally consent-based data that organisations will have to look at very carefully in their review or audit of the range of personal data they hold.
Unstructured danger
Echoing the call for a preliminary audit, in whatever form, of the personal data an organisation may be holding, Jason Burns of IBM zeroes in on unstructured data. “Formal databases are one thing but there is inevitably personal client data in anything from spreadsheets to correspondence, email, team collaboration files, whatever. I think organisations are slowly beginning to grasp the sheer breadth of GDPR as they try to identify the key risk areas for them.”
There is inevitably personal client data in anything from spreadsheets to correspondence, email, team collaboration files, whatever. I think organisations are slowly beginning to grasp the sheer breadth of GDPR as they try to identify the key risk areas for them, Jason Burns, IBM
“We are having workshops for clients and essentially we are encouraging them to simply get started. In the process of working through what you know, you will make discoveries. The area of highest risk is what you don’t know about the data you hold. There is a lot of focus on the potential fines and the legislation and all of that. But our view is that GDPR is actually a very good thing for organisations and businesses, not just another set of burdensome regulations,” he says.
“However, it does call for a complete change of attitude to data handling and privacy in many industries and organisations.”
“What I would like to emphasise is that organisations can implement GDPR with a minimum amount of technology,” Burns says. “It is about your policies and processes and your care of people’s information. In many ways, it is a cultural shift, but that is the point. Governance is good, data protection is not a burden. IT can’t do it for you—but it can certainly ensure it is carried out properly and consistently.
One of the many positive things about GDPR is that compliance with it immediately becomes Best Practice in Europe, Burns points out. “It may well become a de facto world standard, after Brexit and because all multinationals trade with the EU.”
Subscribers 0
Fans 0
Followers 0
Followers