GDPR and Data Protection- A Chief Data Privacy and Protection Officer's PerspectiveJulie WhitingAugust 29th 2018
The implementation date for the GDPR has passed, and everyone is now compliant. However, the question that has not yet been fully addressed is: how are we going to remain compliant? Having spoken to our Chief DPPO, Gareth Porter, we discovered that becoming and remaining GDPR compliant shouldn't actually have been/be that big a change...
Now, there are a lot of GDPR articles out there on the internet, but how many that you've read are from a Chief Data Privacy and Protection Officer's (DPPO's) perspective? Not many I bet, so you're in luck! We have been able to talk with our very own cloudThinger, Gareth Porter, on his views on the GDPR situation. Trust me, there's some interesting and surprising content that you may or may not already know...
The implementation date for the GDPR has passed, and everyone is now compliant. However, the question that has not yet been fully addressed is: how are we going to remain compliant? Having spoken to our Chief DPPO, Gareth Porter, we discovered that becoming and remaining GDPR compliant shouldn't actually have been/be that big a change, if organisations were already following and abiding by the Data Protection Act (DPA) 1998. Read on; you're not going to want to miss this!
Let's start with the DPA 1998,which had eight principles that everyone should have already been complying with. When compared to the GDPR's six principles, they are almost identical and it's probably now dawning on you that if you had applied the original DPA principles from the start, becoming compliant with the mandatory GDPR may not have been such a majorundertaking, is that some organisations were not really making the commitment they should have to the principles outlined in the DPA; it is stated that gathered information should only be used for the purpose for which it is collected, but if we're being honest, few organisations have been able to follow this principle, despite it being UK Law (https://bit.ly/2kV9S1T).
The GDPR has introduced new rights for Data Subject, as well as new requirements for Data Controllers and Processors, but the main topic that is worrying companies about the GDPR are the proposed fines. It is true that if you fail to comply, it can result in a penalty of €20,000 or 4% of global turnover, which to be frank would scare anyone into implementing these necessities. The GDPR states that failure to put these requirements into action will result in these potentially monstrous fines, however, what many forget is that the awarded fines are based on the severity of the data breach, so not all fines will be the worst-case scenario stated. We are not saying that companies and organisations can get away with not complying fully, data breaches will be fined, but only at a level proportionate to the breach. We feel that this has not been voiced enough.
For some time now, forward-thinking companies, organisations and Government departments have been following security best practice and undertaking data screening of their information estates. Many Data Protection Officers (DPOs) know that following best practice would have been the correct thing to do. However, they have found the importance of these procedures difficult to convey to others within their organisation and so the DPO’s messages about following best practice have lost out to competing business requirements...until now! So, with data security back in the business spotlight, we as DPOs have regained some power, but what is our next move? We need to identify whether our companies are acting as a Data Controller or a Data Processor. For those who aren't familiar with these terms, allow me to explain, but for those who know what these are, which would you prefer to be and why?
There has been some ambiguity about who a Data Processor or Data Controller is; this role identification will determine how much responsibility you carry. For example, if you were storing client data on an Azure cloud location, Microsoft would then be the data processor as they would be processing data on your behalf. You would be the Data Controller as you have chosen the client information that is to be stored and are therefore highly responsible for its privacy and protection. So, if you have specified, defined, requested or managed the data, you are the Data Controller. I've explained the attributes of the two positions, but which one is more beneficial to be and why? As a Data Controller, you will have full control of the data, which will show clients that you are taking your responsibilities seriously. When you ensure that your client information is secure, this gives them sense of security knowing that you are safely holding and managing their data and not avoiding that responsibility.
Firstly, we must learn that there is nothing wrong with being a Data Controller and having more responsibility. Clients will see it as a positive thing that you are in charge and control of their data, and that you take the security of their data seriously. You are essentially saying to your customers, 'we, as your data holders and therefore Controllers, are embracing these responsibilities to provide the maximum duty of care to keep your information safe and ensuring GDPR compliance.’ It is no longer acceptable to take the approach of 'what's the least we can do'; it must be maximum effort to avoid any failure of compliance, and therefore any potential fines.
Moving forward, what have we learnt and what must we do? First, as Data Controllers, we must begin to manage data with a data screening process; no one can afford not to do this. Secondly, DPOs will have power restored to them and their organisation will hopefully listen and act when it comes to implementing data security best practice.
For the newly empowered DPO’s out there, cloudThing would like to help make your life easier now that you have the attention of your board. complyThing, cloudThing's data management tool, helps you remain compliant with all the requirements of GDPR by managing your data screening process and data protection impact assessments. It will also notify you of consent renewals, manage and record data sharing agreements and much more, and can scale to all businesses requirements, whether you're an SME or an enterprise organisation.
If you are eager to find out more information so that you can present complyThing as a good opportunity to your board, or you've seen this article and want to help your DPOs out, don't hesitate to give us a call on 0121 393 4700, or drop us a message. We are happy to help!