I’m keen to change the perception that GDPR (General Data Protection Regulation) will act as a drag on organizations. I also want to avoid others falling into the trap of thinking the only inducement for an organization to comply is to avoid a fine. But before I attempt this, I’m going to briefly stray into another passion of mine; cars – just to make a point.
To drive safely, several conditions must be met: my vehicle must be in good condition and regularly inspected to ensure it meets minimum safety standards. I must adhere to the rules of the roads on which I travel, and I need to drive in a manner suitable for the prevailing conditions. Finally, there is an expectation from me that everyone else will do the same. For me, the freedom I gain by following the rules far outweighs any inconvenience I may experience. And, basically, that’s how I feel about GDPR, too. It’s designed to reinforce the information-related rights and freedoms of European citizens, and provide standardization for organizations which, in turn, enables greater efficiencies.
We are not starting from scratch, after all. Data protection regulations already exist and, for personal data held on EU citizens, GDPR will harmonize them. And, if an EU citizen is trusting you with their personal data, commonsense says you will want to protect that data. In effect, common sense will be enshrined in a legal framework and, whilst I am sure the advent of GDPR will bring greater scrutiny, I am equally confident the approach of regulators will be proportionate. For instance, Elizabeth Denham – The UK Information Commissioner - wrote in her blog1 that of the 17,300 cases concluded under existing regulations in the UK during the financial year 2016/2017, only 16 resulted in fines and none were at the maximum level. Harking back to driving, this is analogous to a scenario where two drivers cause two different accidents with similar outcomes but the penalties imposed may be different based on mitigating circumstances.
As we approach May 2018 (when GDPR will be enacted), there are many things organizations can and should do. For me, a great place to start is “data protection by design.” The foundation of this approach is the information lifecycle which gets to the very heart of why data is important to you and challenges you to consider what data you actually collect and what you do with it once you have it. You will see many variants on the information lifecycle but I tend to think about four main phases: collect, store and secure, use, and disposal.
Collect (only what is relevant)
Every successful organization relies on good data. But data is so prolific, the temptation is to collect it just because we can. Think about which data is critical to your business and then define the purpose for which it is collected - the legal basis. You need the individual’s consent to acquire it and it must be clear to them how you intend to use it. You will have to pay to store and protect every piece of data you collect so it makes good business sense to only collect what is relevant.
Store and Secure (with a data value in mind)
I cannot overstate the importance of defining what data you need to collect, the purpose for which it will be used, and for how long you want to keep it. You need to know not only what data is stored, but also where it is stored at any given moment and this can be tricky in a public/private multi-cloud environment. You can outsource the practice of storage but, under GDPR, you cannot outsource your accountability for the safety of personal data managed on your behalf, so I believe assigning a notional value to your data is useful. The notional value will influence where you physically store specific datasets, and the level of security you assign to them. Knowing this enables you to have the appropriate agreements in place with third-parties, manage costs more effectively, and implement your security posture more efficiently.
Use (who and what)
Nowadays it’s not just who is using the data, it’s also what is using the data. Organizations are complex structures and many departments such as customer service, billing, sales, and marketing, or human resources, payroll, and training may have legitimate reason to collect different datasets pertaining to the same individual. You need to understand the implications of the aggregation of these datasets across your own estate as well as those of any third-party suppliers. The legal basis for data use underpins access rights; who has access to it, and what each employee, or application, can do with it. As your organization transforms, you need a process in place to migrate data responsibilities too.
Disposal (is it really gone?)
On the face of it, the final stage in the information lifecycle is the most straightforward. Simply hit the erase button and it’s done. But, as with most things in life, it’s not quite as simple as that. Hitting the delete key does not necessarily erase the footprint of data from storage devices. This means additional consideration is needed when you choose to end-of-life your own servers, computers, or phones – in fact, anything on which personal data may be stored. When third-party suppliers are involved, you do not have the same degree of control and this reinforces the need to plan and manage your data environment proactively.
Whilst the information lifecycle will not, in itself, make you GDPR compliant, knowing where your data is, who and what is using it (and why), and being confident it is destroyed when you and your agents erase it makes good business sense. A “data protection by design” approach enables you to develop policies and processes logically, create meaningful employee education programs, and, ultimately, protect your data more effectively.
You must not rely on the information in this blog as an alternative to legal advice from your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of i