Context

GDPR scaremongering is a ploy that is over-used and misleading.

  1. There are a lot of “expert” sources spreading near extinction level event scare stories about the GDPR.
  2. Motivation by fear works. It makes people panic, run away and act irrationally.
  3. As a business, panicking, running away and acting irrationally may not be the best way to make improvements and react to change.
  4. Morever, when the fear-monger’s predictions of armageddon fail to appear, the fear message morphs into; “it was all hot air and we don’t need to do much if anything at all”.

The GDPR has been in effect since May 2018. There are still a lot of organisations that have done very little about becoming GDPR compliant because they don’t believe the fear-mongers.

Purpose of this document


This article is an antidote to GDPR scaremongering.

Instead, it offers sensible, constructive advice and opinion about implementing a successful unified data privacy control framework that will get you over the line and help you sleep better.


The GDPR has teeth and is a legal requirement for all organisations (regardless of location) that process the personal of the citizens and residents of EU and EEA member countries. Here’s the current list of countries Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Lichtenstein, and Norway.

Terminology

  • DSAR – Data Subject Access Request, a request made by a data subject to a controller to exercise a data subject right.
  • DPIA – Data Privacy Impact Assessment, a method of performing personal data risk assessments on processes and procedures. A DPIA is required when data processing is likely to pose a high risk to individuals.
  • ROPA – Record Of Processing Activity, evidence or an audit trail, explaining personal data processing and how it complies with applicable privacy laws.

GDPR scaremongering

There is a lot of GDPR scaremongering based around getting massive fines to the point of bankruptcy and being thrown in jail for breaching the GDPR.

Let’s get real. The GDPR is not an albatross around your neck. Instead, it is a unique opportunity to show that you care about the people your business serves. They trust you with the goods or services you provide. They should also be able to trust you with the personal data that they give you.

Let’s personalise it. Would you like it if you entrusted something valuable to someone else’s care and they misused it? It’s a closed question. You wouldn’t.

The same applies to personal data. It is valuable, and it should not be misused. Everything about GDPR comes back to one thing, its purpose.

The first article in the GDPR states, “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

There are extensions in the E-Privacy regulations, but I’m focusing on the GDPR.

The keywords in the purpose are “protect personal data”. That is your objective. If you can demonstrate to a regulator that you have taken this on board and tried to do something about it, there should be nothing to fear.

The GDPR is not an unknown. On the contrary, it is a reasonably well-thought-out regulation that fits into a few concise boxes dealing with data protection specifics.

  1. A general description
  2. Its principles
  3. An individual’s right to protection
  4. How organisations should operate
  5. How to collect personal data lawfully
  6. How to process personal data lawfully
  7. How to transfer and share personal data lawfully

It also goes into the supervisory and enforcement structure that oversees the regulation.

Nothing scary so far

These points break down into a few key, discrete blocks:

  • Managing external relationships and controlling personal data flows into and out of your organisation
  • Establishing a risk appetite-based policy-driven governance structure
  • Establishing an operating model
  • Appointing a Data Protection Officer (or equivalent) to give advice, provide oversight and manage the supervisory authority relationship
  • Documenting your processes and data use (ROPA)
  • Establish transparency and individual rights processes (DSAR)
  • Periodic reviews to keep up-to-date with any regulatory changes
  • Regular reviews of any agreements involving data sharing or transfers
  • Conducting risk assessments (DPIAs) if personal data processes or procedures change
  • Regular reviews of security measures
  • Detecting and escalating suspected data loss (breaches)

None of these is beyond the wit of man, and in many organisations, some will already exist.

For an initial effort, a map and gap are the starting point. Review existing agreements involving data sharing or transfers. Review digital and physical security measures. Review operating manuals and any other documentation. From this, you will understand where data enters and leaves your organisation, the integrity of your storage security and get a good idea of how data is used.

The primary transformation is cultural. You will enable change through training. Make it personal. Educate people to treat other people’s data with the same respect as they would expect their own to be treated.

The refrains: “Do as you would be done by” or “Do unto others as you would have them do to you” are the most appropriate.

I heat mapped the fines over the operational structure I designed for a client. The Head of Risk and Compliance (my boss) took one look and said, “training is the key”.

The Information Commissioner’s Office statistics show that almost two-thirds of all breaches are caused by human error.

Going back to the key, discrete blocks, you will see that they (in the main) are human-based and structural. People need to know what to do. When they do, things generally work out OK.

The scary stories are overblown. Anyone who has worked in compliance (and GDPR is very much a compliance issue) will know that if you show a regulator that you have taken a regulation seriously and made your best endeavour attempt to comply, they will be much more understanding than if you have not.

A little knowledge is dangerous as well. I have seen projects where every computer record with a “last amended by” indicator showing an employee id or email address is personal data. I have been asked whether wallboards showing the names of previous company presidents and CEOs are now illegal because none of them ever gave their explicit written consent to be put on the board. I’ve seen GDPR data privacy delivery specifications where part of the effort is a microscopic data lineage analysis.

Let us develop a pragmatic and practical sense of proportion to the GDPR and focus on protecting personal data. Don’t do stupid stuff with other people’s data is the message.

  1. Establish the governance based on a risk appetite
  2. Establish the operating model to legally process data and honour individual rights
  3. Establish the required training
  4. Establish proportionate, risk-assessed processing and storage security

Your objective is well-trained staff working in a structured environment operating under risk-based governance using data in a protected environment.

Some artefacts should be kept. These are identified in a reasonable level of detail in the regulation and will be natural outcomes of your implementation.

When you implement your unified data privacy control framework, you will be able to show everyone who has entrusted their data to you that you are respectful of their privacy. In addition, you will have a better understanding of how your business operates.

At a minimum, you should be able to answer the following vital questions:

  1. What personal data do we hold?
  2. Where is it?
  3. What is it used for?
  4. How secure is it?

To help you keep focused and stay away from some very appealing looking rabbit holes, bear the following four principles in mind for your chosen solution, it should be:

  1. Practical – easy to use
  2. Pragmatic – realistic and sensible
  3. Performant – as non-intrusive as possible
  4. Proportionate – risk appetite based

The entire DPC unified data privacy framework has been around since 2017.

It is based on the above.

It works, so you can sleep at night.

Learn more about data privacy. Take our CPD accredited Data Protection Officer training course.