This is something we started hearing more frequently from our clients as the year 2017 approached its half. There was a lot of scary GDPR communication around focusing on its high sanctions. Wunder’s stance to GDPR has always been a positive one. GDPR is a good thing for all of us as individuals. It protects from misuse of our personal information, or personal data as GDPR refers to it. GDPR will bring change to how we deal with personal data, and change always comes with some effort. Some horror figures of tens of percents increase in the IT budget due to GDPR has been quoted on the net. This could be possible if you are in banking or other businesses focused on processing sensitive personal data. Then again, such companies have had pretty strict and not too dissimilar legislation already, which challenges such proposed figures. For most companies with a digital business focus like many of our clients, reaching GDPR compliance should be an insignificant effort compared to all those scare talks on the net.
GDPR basics in a friendly format
Unlike pretty much every other GDPR paper or any legal paper for that matter, I will not start with a bunch of definitions. My client presentation on this subject actually has four words and phrases defined, but I will not bother you even with that in this blog post. Instead let us approach GDPR as in a nice discussion, starting from what GDPR is. Every GDPR article seems to pick up different aspects of it, here are mine.
The basic idea of GDPR is to protect our personal data from misuse. This brings along some new rights to us as individuals towards those who collect, store and otherwise process our personal data. GDPR talks about all of this as just processing. GDPR also introduces some new responsibilities and obligations to companies processing our personal data. This should be seen as most welcome by digitally active people who have had their share of less desired targeted marketing and other questionable use of their personal data.
About GDPR rules of processing
One principle of GDPR is that companies may process personal data only as little as needed in order to offer their services. This means a minimal amount of personal data and also a minimal amount of processing. All processing needs to be justified. No old personal data may be left on the shelf just as a precaution. It must be deleted if storing it cannot be justified. Also, no processing may be performed unless it is justified. You cannot just mess around in your big data if it is somehow linked to the people regarding whom it is. – That’s right, big data is personal data, if the collected actions of the users refer to an individual with some personally identifiable data in the system. Personal data is not just name and email and such, it is all data that can be tied to an identifiable person somehow. Hiding the linkage of big data to the people behind it, is a good idea and recommended by GDPR. But as long as only the admin of the system can decrypt the linkage and identify the people to each piece of big data, that is all personal data and under GDPR.
Another important principle of GDPR is that you need to be as open as possible about how you process personal data. Even if you know you’re not quite up to the requirements of GDPR and May 25th came and went already, you need to be open about it. Telling about it and ideally projecting some schedule for fixing the shortcomings is way better than hiding something from the Data Protection Authorities (DPA) or the people whose personal data you are processing.
GDPR is not just about security tech
To people less informed about GDPR, it sounds like a big technical hurdle of data security. GDPR does demand the technical data protection to be ‘state of the art’, but this relative to the organization and the processing that is done, and reflected the cost of implementation of security. Even though no system on the internet is 100% unhackable, in real life far more data security hazards tend to result from weakness in the process rather than in the technology. The wrong people have access to personal data or process it in a less secure manner. And finally, GDPR requires that companies pro-actively prove their conformance with GDPR. It’s not enough that companies start scraping up some process papers if the DPA someday pays them a visit. Companies need to have the proof of conformance stacked up and done all the time, preferably even publicly available. We therefore reach the interesting conclusion that technical data security is not even secondary in GDPR, in a way it comes only in 3rd place. This is at least the case for our maintenance clients as we have taken care of their data security all along. The priorities in GDPR thereby become:
- Produce the documentation proving GDPR compliance
- Inspect and possibly improve the data protection process – who processes what data and how
- Improve the technical data security
Not really anything to be scared of
That’s pretty much it for GDPR, at least from the perspective of companies like our clients. It doesn’t look so scary now does it? Wunder offers a GDPR audit service where we take care of mapping the personal data in the client’s web service, we walk through the findings together with the client, and we produce the needed documentation for proving GDPR compliance. I’ll tell you all about it in my next blog text.