GDPR – a defensible position

Simon Merrick, GDPR Transformation Specialist at Agilisys discusses why, with less than one month to go until GDPR enforcement, a defensible position should be the default

The General Data Protection Regulation is a regulation and if there’s one thing that doesn’t get everyone out of bed in the morning, apart from compliance managers, it’s compliance with a regulation.

As a management consultant, I’m often working with organisations to change behaviours, thinking and outcomes. Finding that ‘reason to change’ is sometimes the hardest part of the job. That reason might be a business threat or objective, an innovative technology or simply a change of individual.  On the rare occasions it can be legislative too. So how excited was I to find the Information Commissioner, Elizabeth Denham, saying that GDPR was “the biggest change to data protection law for a generation”?  If there was ever a catalyst for transformational change in this digital age, here was it. Or was it?

The 25 May 2018 enforcement date has been bandied around by some like it’s 1 January 2000, despite the ICO saying to the contrary. Get compliant by the date or doomsday will fall. I recall a recent conversation with a colleague who still remembers Y2K and waited on the phone for that call to IT on the first day of the new millennium. Nothing. Second day. Still nothing. Third day. The phone rings. But it’s just to say everything is ok, all systems go.


An opportunity, not a threat

GDPR, however, is not like Year 2000. Massive fines are not going to drop on 26 May. It is a transformation opportunity, an evolving data privacy journey, a catalyst for change, if an organisation is so disposed. But, if you’ve done nothing so far and you’re hoping to ‘be compliant’ you’re barking up the wrong tree.

The regulation contains lots of flexible sounding words like appropriate, suitable, reasonable and adequate. These terms all need interpreting constantly within your own organisation because every organisation and its use of personal data is different and changing daily. GDPR requires you to demonstrate that you are compliant, not just say that you are. Snapshots of a data privacy position a year ago are not enough. Lawyers will be rubbing their hands and test cases will be expected to appear as the regulation is stretched and pulled into shape.

For the organisation that is looking to do what they need to with one month to go, compliance should not be the objective, but establishing a continually defensible position is, one that you can justify should the ICO come knocking on the door.

Creating and maintaining a thorough register of processing activity is a number one priority. This should demonstrate you have legitimate reasons for processing the data. This should be followed by documenting the decisions and actions you are taking in deciding how you manage the data privacy risk across your organisation and its supply chain. A data privacy governance body can help. Even if these actions are not complete, it will go some way to establishing your defence by showing that you’re doing everything you can to be as compliant as possible.

Finally, appointing a Data Protection Officer if you are a public-sector body, other than a court acting in their judicial capacity, or a large processor is a majorly demonstrable piece of evidence that you are serious about data privacy and following the law.

For the enterprise that is looking to do more than just a defensible strategy, focus should be placed on how the organisation can create communications that build and maintain customer and employee trust. It’s a much bigger task, but one that is truly aligned with the essence and spirit of GDPR.

Related reading