It’s been quite a bombardment these past few months: the General Data Protection Regulation (GDPR). But despite much attention being given to the term, interpretation of the legislation is much divided. How it is possible that a law, which is now on the statute book, is still causing so much uncertainty?
Within an organization, there is often awareness about privacy. In others, no awareness at all. And no point in between, it would seem. Anyone who’s asked companies, in recent weeks or months: ‘Are you busy readying yourselves for GDPR?’, would have been greeted, mostly, with confused faces. Companies are under the impression that a tsunami of rules and measures is about to hit them. The often over-simplified reporting of GDPR in the media has only made that worse. The danger is that companies will therefore behave as if GDPR doesn’t exist. Other organizations, on the other hand, do claim to be working hard on this but, in practice, have got nowhere.
Anyone who asks the employees of a company about data protection, receives, just as often, ambiguous and vague answers. Most don’t know how their company handles privacy (in the sense of non-disclosure of information). The company views data protection as a black box (whose workings are known to few). Besides considering GDPR from an IT-standpoint, we need to understand the bigger picture of data security. Every employee, at the very least, should be alive to that. Because the concrete actions resulting from GDPR are difficult to interpret for a company, it should have a baseline, in its head, of how it currently deals with privacy.
Have protective measures been taken already? How susceptible is the data that the company handles? As touched upon in my previous blog: using your common sense in conjunction with the vulnerability of the data equals ‘proportionality’. For medium-size to big companies, you would expect that procedures and reporting requirements are already in place. But for small firms, it’s far from straightforward. In such cases, it’s often unnecessary to keep a record of processing activities.
What is a processing register exactly? Article 30 of the General Data Protection Regulation runs as follows: ‘In order to demonstrate compliance, each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.’
But what, exactly, should that register contain? And have all companies, in the meantime, introduced such a register? A processing register could be a simple electronic document in Word or Excel. Often, it only runs to 15 to 20 columns. Examples of the data contained therein:
Contact details of the Controller and of the Processor (the person responsible for processing data), the processing purposes, and a description of the categories of the people involved and their personal data. Also important are the time limits set for the erasure of personal data.
The organization must keep the register up to date. The organization also has to arrange ‘security of processing’ (to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk).
If a company, after GDPR takes effect, has not ticked all the boxes, then it must start to do so as quickly as possible, in order to comply with the law. Many smaller companies, in particular, have taken advice on how to become compliant. But just taking advice is, obviously, not enough. For the smaller companies, the bar isn’t that high but they must, of course, make the effort to take the appropriate measures.
The best advice that I can give is to constantly improve the systems and processes relating to privacy protection. It is – to use an IT-term – an iterative process. On that score, a PDCA cycle would fit in perfectly here (Plan-Do-Check-Act). At any rate, a well-conceived strategy would be indispensable. That plan of action should at least contain what measures the company will be taking (or has already taken) in order to protect the privacy of all those concerned: customers, employees, suppliers, etc.
Start with the simplest measures and go after the ‘low-hanging fruit’. Once they are out of the way, prepare a ‘roadmap’ for the larger projects. Until now, 25 May 2018 has always been the target date. After that date, the ‘Commission on the Protection of Privacy’ will be examining companies very critically. And then it could get nasty, having to report a data breach in a system where not a single GDPR procedure is operational yet…
Author: Rutger Saelmans, 22 may 2018