The GDPR compliance fallacy

There is a curious irony that the enactment of the General Data Protection Regulation (GDPR), drawn up to protect the rights of individuals and their right to online privacy, has brought about an unprecedented torrent of spam. In the fortnight leading up to 25th May, inboxes were filled with emails asking people to opt in to mailing lists, supposedly so that the organisation in question could comply with the requirements of GDPR. There are two fallacies to be addressed here.

Firstly, although individuals should be given the option to be removed from any mailing list, if they have willingly provided their contact details to the organisation and that organisation has maintained a record of the data collected, with the data subject being informed about what the data would be used for and for how long it would be kept, their consent may be considered to be implicit. In these circumstances new explicit consent is not required.

Secondly, although the principles of GDPR are enshrined in UK law and failure to adhere to them can lead to significant fines, there is currently no concrete GDPR compliance process. It is expected that a GDPR compliance standard will be drawn up in the near future, but for now, organisations can use the organisational governance requirements provided by the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 to provide a helpful framework. It is then the responsibility of the organisation’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) to ensure that the additional requirements of GDPR are included in their systems. These are just two of many fallacies surrounding the GDPR.

Having detailed information security policies and procedures is an important step, but on their own will not ensure that the requirements of GDPR are satisfied. Plans and policies simply demonstrate management intent and will be ineffective in satisfying the requirements of GDPR unless clear guidelines are provided in an easily understood format, to the grass roots of an organisation. Many businesses would do well to use some of the energy expended in communicating with their customers on ensuring a good channel of communication around GDPR with their employees.

It is important to remember that GDPR should not be seen as a burden but rather a positive force for change, focusing attention on implementing better processes for how we collect, store and manage data and thereby enhancing and building better customer relationships.

Professional expert guidance will assist in streamlining this process. SRM’s GDPR team provides a business-focused service to organisations of all types and size at all ends of the GDPR-readiness spectrum. We have operated in this arena for many years and our GDPR consultants have undertaken GCHQ certified training. We can also take on the full CISO or DPO role if required.

 

To gauge your level of GDPR readiness, see our step by step self-assessment guide.

See our GDPR web page.

Or visit our blog:

The key to GDPR is common sense

How PCI compliance puts you on course for GDPR

 

Posted 5 months ago on · Permalink