Earlier this month I posted a blog on my Employer’s web site categorising what I see as the five key challenges, of recording consent, private by design, compliance record keeping, adequate technical protection and public accountability.
I talk of the need to only process personal information with the consent of the individual concerned, for the purposes consented, and for the duration of the purposes consented remaining in place and not there was no change from before. I argue that the extension of data subject rights is actually marginal if one has been complying with the law. I am curious about the “freedom from algorithms” but this is a currently defined right. The complexity of the consents and the data processed means that Enterprise Data Models will now be mandatory; it’ll be impossible to fulfil data subject rights or prove compliance without these tools.
Possibly the most revolutionary change required of the GDPR is that systems implementers perform privacy impact analysis and need to ask permission from the national supervisory authority in order to implement high risk projects. This will involve changes to companies SDLC and/or project management processes; it’s unlikely that the ICO processes to perform this work will be quick.
On record keeping, I say,
The most difficult part of compliance is likely to be proving that one’s data protection and privacy controls are comprehensive, e.g. all fields containing ‘personal data’ are known, all uses are documented and consents exist. Proving what you’ve done will be relatively easy, proving that it’s been done everywhere required will be harder.
When one adds the issues of information life cycle management, accuracy & the storage limitation principle, the record keeping required is not simple, nor for large companies particularly small.
One of the central principles, is that of adequate technical protection. A lot of work has been done in defining good practice and codified in among other places ISO 27001. Th new law envisages certification agencies promulgating good practice but for the medium term ISO 27001 will be the ‘gold’ standard. Maturer organisations will by now have information security organisations and be in a good position to define and perform adequate technical protection.
The public accountability dimension is where the Data Protection Officer and the new breach reporting requirements come in, i.e. the need to report breaches within 3 days to the national supervisory authority.