GDPR = It Depends! Or does it?
Getting back to basics
I have not published anything for a long time and I am fully aware that not everyone will share my views simply because they are my views. This is by no means comprehensive and I welcome feedback, comments or additions in any way they fall.
It Depends is probably one of the most common and true statements you can make in the role of information privacy and data protection.
Recently there is a hype on info out there about GDPR and how it will affect us, with claims of major outcomes, disasters and let’s not forget the many specialists needed in depths of an employment hole. But is it really that hard to consider that data protection is all about doing the right thing with information you are privileged to be in possession of.
Yes we will no doubt have to read the GDPR in depth to try and understand its meaning and yes we will no doubt have to eventually go back to school to gain another qualification, but for now can we simply not take it back to basics?
The thing you should do when approached about such things as data processing, data changes, systems implementation or even data sharing is too take a big step back and remember you can’t know it all. The General Data Protection Regulations consist of 173 regulations spread out over 11 chapters with 99 articles and with 26 definitions, meaning you cannot possibly answer a question straight away without looking.
The main principle is simply to “be logical” and do your research, before you give a definitive answer or response.
There are no penalties for taking your time to get it right, but there more than enough for getting it wrong. The duty and timeframe to report breaches or respond to a SAR are pretty clear; however there are no articles or chapters that tell you how long you need to respond to a question.
When asked “can I do this with that data?” Your answer should be “It Depends”, simply because this is now the part that does require you to comply with the requirements based on the outcomes and you will need to gather all the relevant information first before giving your response.
Ask the simple questions first:
· What is involved? = the data type and category = the requirement for processing
· Who needs this? = justifying the right for access
· How will they access it? = The controls needed to apply appropriate level of security based on the data type and category.
· Where will the data be stored, hosted or shared? = the outcomes based on transfer of data to where and by what means = who has which responsibilities as controller or processor and the review of the requirements for the place of storage or way of sharing.
· How will the data be used? = The specified purpose and should form your fair processing conditions = if this falls within your current registered purposes then you have already stated your compliance or do you now need to pursue further consent models and or conditions if this falls outside of the current processing conditions?
· Does it all add up? = Have you done or do you now need to do a privacy assessment or information security assessment. Have you got flow maps or processes/systems in place to help you?
· Can you justify the use of data? Yes then carry on/ No then don’t do it……. and as a famous meer-kat once said "Simples"
Where and how combined with the who and why should help you create and keep your data flow mapping, information asset register and other documents or reports up to date, so there is another bonus for asking the questions.
Personally I use a data change request form to identify the main elements required in order to apply the appropriate outcomes to the justified use of data, but again this only works if you have a good awareness program in place and everyone understands and follows the process for using, changing, or sharing the data you create, use, store and or share.
As stated when it comes to data protection it really does depend because "it depends" on you taking the time to assess the situation by asking the questions in order to find the right outcome, or does it?