GDPR: getting it done or getting it right?
As 25 May is approaching, all companies are huddling around their GDPR teams to take the big steps that will ensure their compliance. Being part of a small, but very fierce project team of our own, I know that the devil is in the details. Here are three of the details that made me realise that rushing to get compliant might lead us to some poor choices, hence why it’s better to take the time to approach the GDPR rules in the right way.
- Consent is just one of the 6 legal basis for getting personal data. As you go through your data and legal grounds for processing them, consent should only be used as the last resort, only for everything that does not fall into any of the other 5 categories. It’s not just smart, but also efficient. Just imagine the insane number of emails we would all be getting by the end of the month and the percentage that will be answered (and agreed to) as a result. The most common scenario where asking for consent is mandatory and cannot be avoided is the collection of personal data for marketing purposes (e.g. newsletters, campaigns etc.). Without any law or legal grounds to govern it, processing of personal data for growing your business is allowed only with verifiable and valid consent.
- How you ask for consent is also extremely important. Sending emails to customers to ask for stuff means you had prior permission for sending them. Catch 22, right? Honda and Flybe rushed to get compliant and they got fined. Tip: Don’t ask customers if they want to be contacted by email…by email!
- Encryption is valuable. GDPR certainly doesn’t link compliance with encryption exclusively, and it doesn’t talk about levels and standards of encryption or where to use it. Nevertheless, it’s well known that in previous data protection laws, especially in jurisprudence, having encryption has been used as an argument in specific types of breaches and specific types of encryption. The data protection authorities will probably maintain this view in the future. Seeing that encryption is mentioned even as an example, makes it all the more important for you to consider implementing it as much as possible.
I guess what I am trying to say is: Don’t panic, and show your work. Generally, industry experts agree that the ICO will most likely come down heavily on companies that have breaches and cannot demonstrate that they’ve taken the necessary steps to comply with GDPR. You’re less prone to getting a significant fine if you can show solid documentation of the GDPR-compliant processes you’ve defined, and show a detailed roadmap for implementing anything that you haven’t finished yet. Also, GDPR is team work, so make sure everyone in your company understands their role and involvement in achieving GDPR compliance, implementing common sense practices such as: not sharing customer data with external parties or storing it on private accounts. And remember that the big reason behind this is to create a safer space for customers to share data and minimise the risk of breaches and what happens in the aftermath, which is a pretty great goal to work towards!
Andreea Baloi is a Contributor on Outsourcing Advisors
Andreea is a bold and brutally honest IT professional, with over 10 years’ experience in Management and more than 5 running Business Operations. Her background lies in customer support, where she strives to achieve excellency in offering assistance, while inspiring and helping her team to build the skills and strategies needed to develop and grow their IT careers.
Andreea is really passionate about women empowerment, leadership and personal growth, and she’s constantly using her online presence to raise awareness about these topics. She enjoys reading and uses writing as a form of meditation and expressing creativity. When she’s not working, Andreea spends time with her friends and family, usually trying to get her 10-year old nephew to still enjoy her company. You might also find her travelling to new places, doing yoga, watching NETFLIX or occasionally going out dancing.