Privacy by design
A key to the success (or not) of organisations becoming GDPR compliant will be how well privacy requirements are integrated into business culture. While there are many similarities between the ‘old’ paper-based and ‘new’ digital worlds, there are also huge disparities.
Most companies already have some form of data privacy structure, which can be used to gauge the additional work that needs to be undertaken. Frameworks in which infosec principles are embedded, and where the focus is on building relationships and developing trust will also be essential.
What are people worried about?
- People don’t follow rules, clicking on email attachments for example that can put compliance at risk because they contain non-compliant data.
- The Data Protection Impact Assessment (DPIA) is a new requirement to identify and resolve any privacy related risks. Incorporating it into business policies with GDPR is an option, but there is a danger of over-complicating the issue.
Lessons learned to date:
- Everyone needs to be educated to ensure they understand both the overall implications of GDPR for the organisation, and the specifics of how it relates to their project(s).
The marketing sector will be hard-hit by GDPR, depending as it does on personal data for online targeting. While it argues that this data enables the delivery of highly personalised and relevant communications, along with benefit such as offers and discounts, some consumers will welcome not receiving these messages.
Similarly, as referenced above, spreadsheets with business contacts are the backbone of many business development activities.
Some organisations already operate strict privacy processes, scanning all outgoing email and deleting company confidential information from all devices before foreign travel for example, many will struggle with the stringent new rules – and the current lack of clarity.
What are people worried about when considering the impact of GDPR on business operations?
- Data protection is subjective; what is right for one organisation may be unworkable for another.
- Much of today’s marketing activity deploys automated decision-making. Explaining the algorithm behind these will be challenging.
Lessons learned to date:
- There is a generation gap; younger people are more comfortable sharing personal information, particularly in order to get something (often content) for ‘free’. However, it is questionable how well they understand privacy.
The general consensus was that non-compliance is unlikely to be met with the full 4% fine, although it seems likely that examples will be made of bigger businesses; high fines will be intended to get peoples’ attention and show what should be done to meet GDPR requirements.
What we know so far
Despite the current lack of clarity on what GDPR will mean for organisations, it is possible to make some recommendations based on the observations and experiences of our attendees:
- The first step for any organisation will be to understand what personal data they hold, where, why and for how long. A data audit to gather this information is a task not to be underestimated but a critical starting point.
- Even with policies in place, people often don’t follow rules, clicking on unidentified attachments, for example, despite knowing this is risky. Part of the compliance solution is to undertake training and awareness throughout the organisation. This is particularly important at board level – the ‘tone as the top’ with respect to data protection and the importance of compliance is critical.
- Existing processes for security impact assessments can be re-used as a foundation for the Privacy Impact Assessment (PIA) requirement under GDPR.
- The business element of GDPR compliance is more difficult than the IT part. The process, which may be set by a lawyer, needs intellectual input that is sensible and provides context and perspective. Collaboration between legal, IT, compliance and risk management teams is key here.
Whilst the stage of GDPR preparations and preferred approach varied across the organisations attending our roundtable there was consensus on at least one thing – now is the time to take GDPR seriously and to make tangible steps towards compliance.
This article is the second and last one of a series. If you would like to read the first one, click here.