Part 4 - Don't bury your head in the GDPR sand
In this final blog of this series of 4, I thought I’d discuss some of the mythology around GDPR and highlight some of the more excessive delusions. First and foremost – GDPR is coming (Brexit will not make one hoot of a material difference) and you will have to deal with it. Below are 5 myths that need serious debunking.
- "All our personal data is covered by the Data Protection Act – we won’t have to do anything…"
- "It’s a legal matter – they can deal with it… (or, it’s an IT matter – they can deal with it)…"
- "This product will solve the problem…"
- "GDPR will fade away once the hype’s gone…"
- "Our data is in the cloud – AWS/MS Azure/another (delete as applicable) will sort it…"
1. The GDPR applies to personal data no matter when that data was collected. Meeting the requirements of the Data Protection Act is a good start, but it does not encompass all GDPR requirements. Follow this myth and you’ll eventually crash and burn
2. There is no doubt that there is considerable need for legal input into your organisation’s GDPR debate. It is not, however, the be all and end all. Your response will require the input of people from across your organisation, including (but not limited to) Senior Management (board level), Legal, HR, IT, Operations, Internal Communications and others…
3. There are definitely products and services that can help you meet GDPR. These can supplement your efforts. Remember that, they supplement. Your response will need internal meetings, data audits, management updates, encryption, pseudonymization, supplier audits and so on… You may find a useful meeting scheduling tool, a handy encryption management suite, or a high-level GDPR Checklist. No one of these things will meet the regulation on its own. Anyone telling you they have a packaged solution is selling snake oil (see previous blog rant).
4. One of the reasons GDPR was developed was that previous pan-EU data protection initiatives had faded. The nature of GDPR is going to make it intrinsic to the way an organisation works. The regulation has teeth. The ICO looks like she REALLY means it! Privacy will not be met by a one-off solution. It, like quality and health & safety, will embed itself and become part of the way things are done. It is not going away
5. Cloud providers will have a responsibility, but the buck stops with the Data Controller – that’s you. If it’s your organisation that determines that personal data is collected, then it’s your concern. You cannot offload onto your suppliers. You have to manage them!
Your approach to GDPR must be a ‘whole-body’ effort. Whilst avoiding too much New Age nonsense, a holistic approach is the only way to deal with it. Single shot solutions will not work. A software package won’t scratch the surface. You need to be ready to act with knowledge and understanding.
The GDPR Awareness One Day Course ‘Making Data Privacy Matter’ from APMG can help set out how best you can begin dealing with the incoming Regulation and avoid the myths and those who peddle them.