I’m working with a lot of businesses who are attempting to implement General Data Protection Regulation (GDPR). Some get it and some don’t. To be honest that is not a surprise, there is a lot of misinformation out there about GDPR. Probably the most misleading are the ‘come buy our software, it will make you GDPR compliant’ or ‘complete our templates and you will be GDPR compliant’. Neither approach will make you fully compliant. Anyway, what is compliance?
The way a business needs to manage privacy under GDPR, changes from the often misjudged approaches adopted under the current Data Protection Act (DPA). It can make compliance less black and white, but also make it more manageable for businesses to adopt. Some of the key changes that are not being widely explained are:
- The requirement for businesses to prove they don’t process Personal Data. Rather than opting in, as businesses do today, they will need to prove they can opt out.
- The requirement of the Data Subject to prove that a business is not processing data in accordance with the DPA. Under GDPR, businesses will need to prove that they process data correctly.
- It is a risk based approach. Businesses need to understand the risks their data subjects are exposed to while their data is in their custody.
For points one and two, most businesses that comply with the DPA will have a small amount of work to do. However point three will require some effort and some thinking.
For small businesses, management of risk can be a mysterious process. Difficult to understand because there are no right and wrong answers, but it really isn’t too difficult.
First you have to understand the data that is held by your organisation. I don’t think I have encountered a single one yet that has not been surprised at the amount of data they hold. Usually the first exercise is to question the amount of data, storage locations and retention. Reducing the amount of data to the minimum needed to run the business is a risk reduction exercise in itself.
Once you understand the data, examine the risks that your business is exposed to and assess what the impact would be to the data subject if that risk was to materialise. I assess this impact by using the model developed by NIST . I have adapted this slightly for GDPR see below:
I then prioritise the high impact risks and work on them. First identifying what level of risk would be acceptable and then working out what actions are needed to reduce the risk to that level. These actions are then assigned to individuals to ensure they are put into operation.
Risk is largely subjective. There are approaches which attempt to quantify it, but for most businesses attempting to implement GDPR, this type of qualitative approach will work. Because it is subjective, it needs to be reviewed regularly as knowledge matures and risks become clearer, as do the mitigations. So businesses should start to have this as a regular agenda item for board or management meetings.
There lots of negatives communicated about GDPR, but it doesn’t have to be. Taking a little time to sit back and understand how your business is functioning and then understanding risk and putting measures in place can return many benefits. Here are just a few I have seen recently:
- Reduction in the amount of data held. This reduced risk, but it also significantly reduced storage costs
- Streamlining of processes which have increased speed of production
- Greater understanding of how the business functions and identification of organisational ‘pinch points’
As I have said in previous blogs, look at GDPR as a tick box exercise and you will not only fail to comply, you could miss some brilliant opportunities.