I thought i would look at the relationship between the GDPR and a typical objective measurement process most of us know (and have a love hate relationship with!) and see how it would perform.
Employees and Employers often use the S.M.ART acronym when they are sitting down do to their Quarterly / Half Yearly or Yearly objectives, so what are my thoughts on the GDPR when looked at via this lens.
- From a harmonisation of disparate EU implementations of the previous EU Directive, then one would have to say that a Regulation that aims to harmonise Data Protection expectations and enforcement is definitely a smart idea. Regulation is a necessary evil, as left to their own devices, companies (and countries for that matter) do not concentrate on them so any collective drive to standardise across a geographic region is good as it reduces the cost implication of having to adhere to a multitude of country specific regulation – something that in an ever more globally focused business world is a benefit.
- From a Security perspective it is vital that the world wakes up to the fact that we are all driven by data these days and that the CIA (Confidentiality Integrity Availability) of that data, of which PII (Personally Identifiable Information) is a part of, is vital. In terms of the regulation it is good that security obligations features in it and the emphasis on Privacy by Design and Privacy by Default are keep objectives.
- It is in terms of accountability – yes. Record keeping and Privacy Impact Assessments are a measured, justified audit record of what how and why data processing actions are taken. Whilst they wont per-se necessarily exempt you from recourse, they are a key way for the Supervisory Authority (SA) and your business to review and adjust your thinking should an incident warrant that and indeed from a change perspective should the business processing change.
- In terms of Supervisory Authority (SA) fines – Very much so ! There are very clear indications as to what the fine structure is likely to be for breaches of Articles on your businesses pocket.
- Unlikely by enforcement date – With the May 25th 2018 enforcement date just around the corner in reality, and judging by the surveys and conversations i and other professionals are having, there is a dearth of real on the ground action going on for most companies (lest the larger governance focused organisations where this is bread an butter – think Insurance, Banking etc)
- Possibly in the immediate years after May 28th 2018 – The name of the game for most will be to attempt to have something in place programme wise come enforcement time, and pray that they can keep their head below the parapet of the ICO and their Data Subjects, to avoid breaches or upsetting employees / customers by tardy DSAR processing. Continuation of the work in progress over the next years, maturing and streamline their PIMS and Privacy maturity model as quickly as possible. This risk based approach is laudable but it could / will still leave you open to possible recourse, so bear that in mind.
- Some would argue no. The obligations and the scope are too far reaching and entail some sectors to have to really re think their business models. I personally think that Data Miners / Data Aggregators / Data Vendors face some very interesting conundrums in terms of transparency aspects in getting consent for direct and indirectly collected data. Let’s see how these companies address the how aspect of implementing the GDPR into their organisations (or not as maybe!)
- I think it is a realistic objective to expect that the status quo should be shifting to redress the balance more to the Data Subject; after all, any Data Controller and/or Processor are in effect only CUSTODIANS of that data and not owners, so the powers granted to Data Subjects under the regulation redresses the imbalance we currently have.
- Yes, Yes Yes ! Enforcement will happen on 25th May 2018 and given it is an EU regulation it does not have to be written officially into domestic legislation (although every government will, including the UK in updating / abolishing the DPA) as it is binding for all EU Member states.
- As with any governance / regulatory framework it is not static or a point in time exercise. There is a continuum and a maturity curve that will come to the fore over the years after enforcement where we all hope to see a general rising of standards and compliance quality and effectiveness. We will see local SA feedback and collective EDPB steer clarifying points in the regulation were legal challenges and real world experience show that guidance needs to be refined.
This is by no means a de facto list of points and is my view; i am sure others will be able to add their thoughts using this framework of objectivity to come up with their own set of statements and thoughts.
Hope you enjoyed reading it.