Unless you’ve been living under a rock, you’ll have noticed that there are lots of people talking about GDPR – which is a good thing.
However, there is lots of nonsense being talked about GDPR – which is a bad thing.
My Twitter timeline, LinkedIn feed and email inbox are being deluged with advertising for GDPR compliance “solutions” and services – which is fine as long as the product in question is treated as a tool in the toolbox and not a magic instant-fix-in-a-box spell for instant transformation
Based on some of the twaddle I’ve seen being talked about GDPR lately, and my own experience in supporting data protection within organisations, here is a list of markers which, should they appear in an article, advertisement or slideshow, should be a warning to treat the rest of the content with a hefty pinch of salt.
- Banging on about fines. Yes; there is a big maximum fine. No, it’s unlikely to be enforced except for the most egregious cases of reckless negligence. The ICO has never levied the maximum penalty for any breach ever. Based on the evidence available, fines alone are not really a convincing justification for compliance.
- Obsessing about consent. Consent is only one of a number of possible legal basis for processing of personal data. It may not the most appropriate, desirable or “compliant” basis to select and insisting on consent where there is a statutory or contractual requirement for processing personal data; or where the individual has no real choice whether to give consent may result in “unfair processing” which could draw regulatory enforcement or litigation.
- Focusing on infosec and infosec tech. Information security (the “confidentiality and integrity” principle) is just 1 of 7 principles and doesn’t even start to fulfil obligations around rights or fairness. While it is important, focusing on infosec to the exclusion of the other principles is just as likely to cause serious problems as forgetting it altogether.
- Claiming that encryption is a mandatory requirement. Yes, it is mentioned specifically in a few places (Recital 83, Article 6, Article 32, Article 34) it is referenced as an example of a tool with which to mitigate risk. Whether you need it depends on the “scope, nature and context” of processing. Just having encryption will not make you “compliant” and not having encryption on ALL TEH THINGS will not mean that data is at risk of exposure.
- Making it all about “compliance”. A finding of “compliance” in an audit is merely a snapshot of a point in time, assuming that the audit itself was sufficiently robust. A compliance-focused attitude often leads to ‘gaming the system’ (as anyone who has ever had an argument about scoping for PCI-DSS or ISO2700x can attest). Ticking boxes does not produce the intended outcome on its own -the paperwork must match reality. GDPR requires your reality to uphold principles, obligations, rights. If you’re not doing this in practice, no amount of audit reports, certificates or checklists will save you when it all goes wrong. Think “maturity” and “assurance”, “quality” and “effectiveness” rather than “compliance”
- Insisting that only lawyers can be DPOs. There are some very good data protection lawyers out there in the wild, but an awfully large majority of lawyers who know almost nothing about privacy law. There are many experienced and competent data protection professionals who know privacy law inside-out but do not have a law degree. The only reason for insisting on having a lawyer as a Data Protection Officer or DP Lead is if the lawyer is *already* a DP specialist with business, communications & technical skills. The “lawyer” part is incidental.
- Marketing GDPR stuff by breaching other laws (PECR) or in breach of DPA/GDPR itself (were you given a privacy notice about the use of your information for marketing purposes? Is it a fair use of your personal data?)
- Calling it the “General Data Protection Regulations”. Seriously, people. It’s Regulation (EU) 2016/679, singular (even though there is a lot of it).
OK, those are the “approach with caution” signs. But how to find good advice on GDPR? Here’s some advice for spotting people who probably know what they’re talking about:
A competent privacy practitioner will tell you
- There is no magic spell; time, effort, decision-making and resources will be required to adapt to GDPR requirements
- There is no single tool, audit framework, self-assessment template, cut-n-paste policy or off-the-shelf training module that will make you “compliant”. You need to address systems, process AND culture at all layers and contexts.
- Records management is just as significant as infosec (if not more so)
- It’s not about paperwork – it’s about upholding fundamental human rights and freedoms (OK, that last one might be a step too far for many DP pro.s, but it is significant both to the intent and the implementation of GDPR.)
A few more handy tips for your Privacy Team lineup
Domain-specific knowledge is vital and valuable – but remember that specialists specialise, and so it is unlikely that someone who has only ever worked in one area of information governance (e.g. information security, records management) or context (HR, marketing, sales) will be able to address all of your GDPR needs.
The same consideration applies for lawyers – commercial, contract and general counsel-type lawyers are probably not as familiar with privacy law as with their own areas of expertise.
In summary, to find good GDPR advice, you should:
- Get a rounded view
- Consider risks to individuals’ privacy not just organisational impact
- Instil and maintain privacy-aware culture and practices
- Be deeply suspicious of any/all claims of one-stop/universal fixes