Data and securityCyber SecurityGDPR – a defensible position

GDPR – a defensible position

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why, with less than one month to go until GDPR enforcement, a defensible position should be the default

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why, with less than one month to go until GDPR enforcement, a defensible position should be the default

The General Data Protection Regulation is a regulation and if there’s one thing that doesn’t get everyone out of bed in the morning, apart from compliance managers, it’s compliance with a regulation.

As a management consultant, I’m often working with organisations to change behaviours, thinking and outcomes. Finding that ‘reason to change’ is sometimes the hardest part of the job. That reason might be a business threat or objective, an innovative technology or simply a change of individual.  On the rare occasions it can be legislative too. So how excited was I to find the Information Commissioner, Elizabeth Denham, saying that GDPR was “the biggest change to data protection law for a generation”?  If there was ever a catalyst for transformational change in this digital age, here was it. Or was it?

The 25 May 2018 enforcement date has been bandied around by some like it’s 1 January 2000, despite the ICO saying to the contrary. Get compliant by the date or doomsday will fall. I recall a recent conversation with a colleague who still remembers Y2K and waited on the phone for that call to IT on the first day of the new millennium. Nothing. Second day. Still nothing. Third day. The phone rings. But it’s just to say everything is ok, all systems go.

 

An opportunity, not a threat

GDPR, however, is not like Year 2000. Massive fines are not going to drop on 26 May. It is a transformation opportunity, an evolving data privacy journey, a catalyst for change, if an organisation is so disposed. But, if you’ve done nothing so far and you’re hoping to ‘be compliant’ you’re barking up the wrong tree.

The regulation contains lots of flexible sounding words like appropriate, suitable, reasonable and adequate. These terms all need interpreting constantly within your own organisation because every organisation and its use of personal data is different and changing daily. GDPR requires you to demonstrate that you are compliant, not just say that you are. Snapshots of a data privacy position a year ago are not enough. Lawyers will be rubbing their hands and test cases will be expected to appear as the regulation is stretched and pulled into shape.

For the organisation that is looking to do what they need to with one month to go, compliance should not be the objective, but establishing a continually defensible position is, one that you can justify should the ICO come knocking on the door.

Creating and maintaining a thorough register of processing activity is a number one priority. This should demonstrate you have legitimate reasons for processing the data. This should be followed by documenting the decisions and actions you are taking in deciding how you manage the data privacy risk across your organisation and its supply chain. A data privacy governance body can help. Even if these actions are not complete, it will go some way to establishing your defence by showing that you’re doing everything you can to be as compliant as possible.

Finally, appointing a Data Protection Officer if you are a public-sector body, other than a court acting in their judicial capacity, or a large processor is a majorly demonstrable piece of evidence that you are serious about data privacy and following the law.

For the enterprise that is looking to do more than just a defensible strategy, focus should be placed on how the organisation can create communications that build and maintain customer and employee trust. It’s a much bigger task, but one that is truly aligned with the essence and spirit of GDPR.

Related Articles

Cyber security is about much more than technology

Cyber Security Cyber security is about much more than technology

20h Austin Clark
Q&A: How cyber security is changing in the public sector

Cyber Security Q&A: How cyber security is changing in the public sector

1m Austin Clark
NCSC defends UK from more than 10 cyber attacks a week

Cyber Security NCSC defends UK from more than 10 cyber attacks a week

2m Austin Clark
GDS clarifies private sector access to GOV.UK Verify

Cyber Security GDS clarifies private sector access to GOV.UK Verify

2m Austin Clark
Is automation essential in the cyber security battle?

Cyber Security Is automation essential in the cyber security battle?

3m Austin Clark
Please mind the security gap between the premises and the cloud

Cloud Computing Please mind the security gap between the premises and the cloud

3m Guest Writer
NHS trusts not discouraging WhatsApp, Facebook Messenger and other consumer apps

Cyber Security NHS trusts not discouraging WhatsApp, Facebook Messenger and other consumer apps

3m Austin Clark
Best form of defence: Is the Government's cyber strategy on the right track?

Cyber Security Best form of defence: Is the Government's cyber strategy on the right track?

4m Guest Writer