My 4th GDPR themed article. It’s designed to encourage debate and discussion, hopefully help you on the journey to GDPR compliance

 

---

Do you know what you have ?
Do you know what you doing with it ?

Two very simple questions.
Two very important questions.

If you were asked that, how would you answer ?
You can go down the philosophical route, etc.

I’ll leave that angle for another day.

This is about the nitty gritty around data protection and GDPR, so really it’s

Do you know what data you have ?
Do you know what you doing with it ?

For the organisations that can, hand on heart say,

“We are fully compliant with the Data Protection Act 1998”,

you know, the one that’s been around for nearly 20 years.

You are in a very good place.

You already comply with a substantial part of GDPR.

You have some work to do to bring it up to scratch for GDPR, but it isn’t onerous.

Well done

For the rest …

Unfortunately this probably isn’t the case.
This isn’t about a particular company or organisation; I’ve had exposure of enough commercial entities to confidently say that GDPR is likely to be a thorn in the side for many.

For some organisations, they may be able to turn it round to be a  competitive advantage, a differentiator.

Your goal, is to be able to say

We know :

1. Who is the business risk owner for that service and it’s dependent, constituent parts (article 25).
2. Who owns and is accountable for the data processed for that service (article 24).
3. Exactly the profile of data being processed.
4. The amount and type of PII (personal identifiable information) in this data.
5. What we do with PII is legal, fair and transparent (article 12).
6. We don’t hoard PII unnecessarily.
7. We know the impact of the processing we apply to PII (article 33 for high risk processing)
8. We don’t transfer PII outside of the EEA without consent or other safeguards (article 44,45,46).
9. Who has access to the data (article 24).
10. Where this data is going (article 24).
11. Where (all) this data is stored (article 24).
12. Whether we have the clear legal purpose to use the PII for that purpose and not just rely on consent (article 6,7).
13. That it can be checked for accuracy and amended by the data subject (article 16).
14. That we do check the data for accuracy.
15. We have an easy to use mechanism to remove PII for a particular person (article 17).
16. We make it easy to take PII to another service provider (article 18).
17. We use the appropriate technical controls and techniques to ensure the confidentiality and integrity of PII (article 24,25).
18. We enforce a properly designed life cycle is applied to our data (article 25).
19. We have the means to report data breaches without delay and within 72 hours (article 55).
20. We can prove that we do the above (article 24,25).
21. Also ensure that our business partners, service providers, data processors and controllers do the above.
22. We have a Data Protection Officer, as we have rely on significant data processing of PII.

(The above isn’t complete … there is more)

In short we protect the rights and privacy of EU data subjects in compliance to EU GDPR.

That doesn’t seem too bad ?

Data protection, data privacy is a concept, that has to be baked into strategy, into policy and most importantly into the culture, in GDPR parlance, it has be designed (in) by default.

This is the overarching structure for data protection in the EU (and UK post Brexit).