The coming of the GDPR

Earlier this month I posted a blog on my Employer’s web site categorising what I see as the five key challenges, of recording consent, private by design, compliance record keeping, adequate technical protection and public accountability.

I talk of the need to only process personal information with the consent of the individual concerned, for the purposes consented, and for the duration of the purposes consented remaining in place and not there was no change from before. I argue that the extension of data subject rights is actually marginal if one has been complying with the law. I am curious about the “freedom from algorithms” but this is a currently defined right. The complexity of the consents and the data processed means that Enterprise Data Models will now be mandatory; it’ll be impossible to fulfil data subject  rights or prove compliance without these tools.

Possibly the most revolutionary change required of the GDPR is that systems implementers perform privacy impact analysis and need to ask permission from the national supervisory authority in order to implement high risk projects. This will involve changes to companies SDLC and/or project management processes; it’s unlikely that the ICO processes to perform this work will be quick.

On record keeping, I say,

The most difficult part of compliance is likely to be proving that one’s data protection and privacy controls are comprehensive, e.g. all fields containing ‘personal data’ are known, all uses are documented and consents exist. Proving what you’ve done will be relatively easy, proving that it’s been done everywhere required will be harder.

When one adds the issues of information life cycle management, accuracy & the storage limitation principle, the record keeping required is not simple, nor for large companies particularly small.

One of the central principles, is that of adequate technical protection. A lot of work has been done in defining good practice and codified in among other places ISO 27001. Th new law envisages certification agencies promulgating good practice but for the medium term ISO 27001 will be the ‘gold’ standard. Maturer organisations will by now have information security organisations and be in a good position to define and perform adequate technical protection.

The public accountability dimension is where the Data Protection Officer and the new breach reporting requirements come in, i.e. the need to report breaches within 3 days to the national supervisory authority.

1 Comments.

  1. The original blog, posted at Citihub was written in 2016 but this article/snip was posted as at today as I wanted it to appear in searches of my blog. My views have changed since writing this, partly as a result of working on a GDPR record keeping system build.

    Today I’d say, that the GDPR is less consent orientated, there are five other lawful reasons. However the lawful reason can change over time, and so the need to record the lawful purpose against each datum remains. To perform rights fulfilment i.e. access requests, corrections, deletions and suspensions will require new systems. Data controllers will need to know their subjects. Without self service, this will quickly become too expensive for any large company. Suspension may require that all transactional systems have new functionality. Record keeping systems will require an architecture and solutions design.