Less than a year away before the GDPR – General Data Protection Regulation – comes into force and it is finally hitting the headlines. But what does it mean to you? Well, assessment of GDPR compliance will be based on six core principles, or commandments, on which the regulation has been developed. In reality, five of the commandments are currently applicable; the sixth commandment is new to the mix.
Learning to Love, Honour and Obey the GDPR
The six commandments in all their glory are hidden away in Chapter Two, Article 5 of the GDPR. Principally, they are:
- Personal information shall be processed lawfully, fairly and in a transparent manner – the first commandment is all around the concept of clear consent. So, wherever personal information is being collected, it must have clear consent must have been given by the data subject. Yes, you can still use opt-in tick boxes but you will no longer be allowed to gain consent by the way of opt-out, or non-action, boxes and the GDPR is very clear on this point.
- Personal information shall be collected for specified, explicit and legitimate purposes – if you are collecting personal information, you must make it clear to the data subject not only the purpose for collecting the data, but also how you will be processing this information. Transparency with data subjects is key in how their personal data is going to be used.
- Personal information shall be adequate, relevant and limited to what is necessary – the data controller, when collecting personal information, may only collect the data that is mandatory for the purpose that has been specified. So, if the data subject is registering for a magazine subscription, the data controller does not need their date of birth.
- Personal information shall be accurate and, where necessary, kept up-to-date – under the GDPR, there is a shift in obligation; it is up to the data controller now to make sure, to the best of their ability, that any personal information collected is accurate. Trivial, you make think, but in fact the GDPR is attempting to cover situations where the processing of inaccurate information could potentially cause harm or distress to data subjects.
- Personal information shall be retained only for as long as necessary – and this is the commandment that has marketing people trembling because they must apply an expiration date, as appropriate to the purpose, for all the personal information they collect. Giving a reason of indefinite retention is not likely to go down well with the supervisory authority.
- Personal information shall be processed in an appropriate manner to maintain security – this is the sixth commandment that has possibly caused the head-scratching because it means that data processors and controllers must make sure that their systems are able to maintain the integrity, availability and confidentiality of data process systems. Not a small task.
Snake Oil in the 21st Century
The GDPR has been designed to move away from mandating technological solutions requirements, accepting, even advocating, that controls is most organisations will provide enough protection, i.e. changing existing online web forms, ensuring the integrity and confidentiality of processing systems, and introducing a policy to delete any expired personal information. Not only that, for those that focus on just one of the six commandments in order to try and sell their solutions essentially ‘goes against the grain’ in terms of the purpose of the regulation.
The GDPR wasn’t developed to provide companies with ‘golden egg’ solution selling opportunities; nor was it designed to increase stress levels and put pressure on organisations to overspend their budgets on administrative fines just because they didn’t buy a solution.
GDPR’s six commandments are coming into force to demonstrate and ensure that the attributes and personal information of everyday people, us, are provided the protection and care we deserve, and should expect.
As Albert Einstein said: “Any fool can know; the point is to understand.”
For more information on Cyber Management Alliance, assistance with GDPR Readiness, ISO 27001 Certification, their Live Online CISSP Training & Mentorship program and other courses, webinars, the Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, contact us today.