by Tom Fairfax, Managing Director
It is not often that EU-wide legislation is likened to a children’s story. Consider, however, the story of Goldilocks and the three bears. When it comes to the General Data Protection Regulation there are three types of organisation. There are those who are running around in a state of panic, going completely over the top, deleting all their data and sending frenzied emails to their databases. There are others who are simply doing nothing. Then there is the third group which is following and communicating a measured plan and, in short, doing it just right. The key is common sense.
The fact is that most people probably need to be doing something. There is a clear obligation to act and doing nothing is simply not an option. The policy of ‘let’s wait and see’ or corporate procrastination will only lead to tears at bedtime. GDPR builds on existing Data Protection legislation, protecting the rights of individuals and their data and this means that every organisation from a small voluntary group to a large multinational must have an enacted plan or risk falling foul of the regulation.
Organisations and individuals alike should already have a clear idea of what they need to do. If they haven’t they should step back and think about what personal data they hold and why. Many of us may still be holding unnecessary levels of personal data; many of us will have failed to consider what data we actually need and many may have failed to get appropriate permissions. For the majority of organisations it may be necessary (and possibly desirable) to have a robust data weeding project. Some data, however, is likely to be held for legitimate operational purposes, and in some cases, its wanton destruction may disenfranchise stakeholders.
Common sense should prevail. Data collection, storage and processing should be driven by a business need and supported by appropriate permissions. It is also necessary to think hard about when information actually becomes redundant and to have a sensible process to pick this up and delete it. This is not new: we should really have been doing this anyway. The ‘just right’ group will have worked out what they need to do and will have made a plan.
The important thing to remember is that whilst GDPR does not actually have an explicit compliance programme, its key intent is to ensure the safety of personal data. For those wrestling with widespread compliance, those following the compliance guidelines of regulatory bodies such as the Payment Card Industry, Mifid II (for the financial industry) or the international standards such as ISO 27001 will have done much of the work already and will just need to understand the gaps that exist.
If a system is properly safeguarded with an inbuilt process of compliance, maintenance and development through these recognised compliance processes then many of the principles of GDPR will likely be adhered to. The job of the Data Protection Officer (DPO) or Chief Information Security Officer (CISO) is to complete due diligence to ensure this is the case. Professional expert guidance will provide these key individuals with the support they require in making these judgement calls.
It is not sufficient to simply draw up a policy, however, no matter how detailed, informed or expert it may be. Plans and policies simply demonstrate management intent. If the plan is not disseminated and implemented and if clear, understandable guidelines are not provided in a timely way, even those with a meticulous plan will simply be left with cold porridge.