Having been asked to blog about GDPR; I decided to avoid the standard, attention-grabbing approach of stating the size of the fine for a breach of the upcoming GDPR regulation. If you’re not already aware – check your junk mail for GDPR workshop invites; it’ll be somewhere in the header or first paragraph.
I’ll start, instead, with a question: Are you struggling to get a handle on GDPR? Welcome to the club! As organisations of all sizes stand trapped in the headlights that are ‘the May 25th GDPR deadline’; who better to turn to than the Information Commissioner’s Office (ICO) for some clarity. The ICO provide a helpful ‘What’s New’ section; so, I thought I’d take a look at February’s ‘news’. It included such helpful guidance as:
The term “right” in the provision does not mean that Article 22(1) applies only when actively invoked by the data subject. Article 22(1) establishes a general prohibition for decision-making based solely on automated processing.
Article 35(3)(a) refers to evaluations including profiling and decisions that are ‘based’ on automated processing, rather than ‘solely’ automated processing. We take this to mean that Article 35(3) (a) will apply in the case of decision-making including profiling with legal or similarly significant effects that is not wholly automated, as well as solely automated decision-making defined in Article 22(1).
So that was helpful.
Seeking even greater clarity, I turned to Elizabeth Denham, the Information Commissioner; who has been doing the rounds ahead of the May ‘deadline’. Ms Denham is clearly passionate about her mission, and speaks very clearly on the importance of GDPR; however, there is a degree of ambiguity in her messaging. In various blogs and speeches this year; she has provided the following guidance (which I’ve taken the liberty of categorising based on her perceived stance):
Very Hard: “Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.”
Hard: “There will be no ‘grace’ period as organisations will have already have had two years to prepare.”
Vague: “Compliance should involve an ongoing effort in which organisations have to show they are putting the key building blocks in place”.
Soft: “While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100% compliant.”
Very Soft: Ms Denham has said her organisation “is not planning to take a hard line on the 25 May implementation date for compliance with the EU General Data Protection Regulation”
I hope that makes things clearer for you? No? Don’t worry – you’re not alone. Cetus has run a series of GDPR workshops over the last year and they’ve been attended by a wide range of people, with an equally wide range of opinions on GDPR. These range from “it’s a disaster about to happen” to “thought I’d pop along to see what all the fuss is about”. The funny thing is that they were all correct – it’s just a matter of how well your preparations are under way that defines the potential impact to your organisation come the 25th May.
Common amongst many of our workshop attendees was the fact that ours wasn’t the first (or even second) GDPR workshop they’d attended. However, the post-workshop feedback pretty much unanimously agreed that our approach to explaining GDPR was the most helpful they’d had; but why?
Unlike others; we described how a multi-partner approach needs to be taken. We combined deep subject knowledge from a GDPR practitioner; with a holistic security approach that looks to redefine an organisations digital boundary. At the end of the workshop we’d provided clear, practical next steps to allow the attendees to prepare for the deadline.
So, is GDPR just a legislative thing? Once again, I would like to quote Elizabeth Denham – “Only one in five people in the UK trust organisations to look after their data”. That’s a pretty miserable statistic. You might ask yourself – are you one-in-five, or are you one of the untrusted 80%? It could be more important to the future of your organisation than ‘mere’ legislation.