It has been a year since GDPR legislation standardised data privacy across the EU, but how to comply has not always been obvious, says Mike Harris.
Already the emails, LinkedIn posts, and events to mark the one-year anniversary of GDPR have started arriving. As with the flurry of consent emails of last May, these confuse and distract from the ongoing data-protection requirements and often tend to be sensationalist.
All EU states have passed their own data-protection laws, and enforcement has begun in many countries, so where do things stand and how can organisations navigate the way forward?
The first year of GDPR has been a settling-in period for regulators and organisations. Fines, breach notifications, and reporting are all still a grey area, pending more detailed guidance and examples from the data protection authorities and/or the courts.
There has been initial guidance on certifying organisations’ data-protection compliance. However, there is no formal, approved certification mechanism to give organisations a means to prove compliance.
Over the last year, there have been lots of GDPR myths and misunderstandings. There have been claims that the GDPR prevents people from taking pictures at children’s communion, or from getting details of hair dye colour in a hairdresser’s.
These have all muddied the waters. It has made it harder to separate the wheat from the chaff of actual meaning. There remains a great deal of confusion in much of the understanding of data-protection requirements.
A pragmatic view is needed to help organisations create the operational policies and processes to become compliant with GDPR. Rather than getting lost in the often academic and esoteric details, those tasked with GDPR compliance should focus on an approach that is appropriate for their organisation and its business model.
That approach should be sensible and cost-effective and easily defensible to the regulator. Fundamentally, organisations should assess their current data-protection environment and define a target operating model, incorporating the elements of people, process, and technology.
These elements are especially important now, based on an understanding of the volumes and demands on any data-protection function. This will clearly depend on the nature and volume of personal data that an organisation processes: For example, a retail versus a business-to-business company. Data-protection certifications and training courses are valuable and worthwhile pursuits.
However, many organisations are struggling to bridge the gap from theory to practice. Conferring the title of data-protection officer does not necessarily bestow the necessary know-how to enact data protection in the organisation.
Organisations should take a risk-based view, as is called for in the regulation. The risks to be considered are the risks to the people whose data you process, remembering, of course, that processing is widely defined, and even includes simple storage of data.
Once an operating model for data protection is developed, it’s vital that organisations confirm, through rehearsal, that it is fit-for-purpose. This allows the opportunity to course- correct or adjust to organisational idiosyncrasies that might not have been apparent from the development work.
It’s vitally important for organisations to practice both subject rights responses and what it would do in the event of a data breach. Having to work out the steps in the process while under significant time pressures, and in the heat of the moment, clearly should be avoided. Organisations should have simple scripts that are ready to follow and which will work in most circumstances.
Fundamentally, putting data-protection structures and guidance in place across people, process, and technology (in that order) is key. This will mitigate short-term GDPR risks and create a long-term data-protection culture.
Mike Harris is partner and cyber-security expert at Grant Thornton Ireland.