What is your GDPR Blindspot
Published on: May 29, 2018

By

It’s the EU legislators’ firm intent to increase the accountability of any person processing personal data. How? By imposing responsibilities and requiring to demonstrate compliance therewith at all times. For instance, to encourage transparency, various obligations will regulate information, access and communication with the data subject. New and improved rights for the data subject, such as the right to data portability and the right to be forgotten, will impact companies because such rights will need to be accommodated in their internal processes.

Some requirements of the GDPR may remain difficult to implement for some time, as additional guidance on the GDPR is still forthcoming. However, it is imperative that companies take a proactive approach and avoid leaving it too late. In particular, undefined terms such as "undue delay", “likelihood of (high) risk to rights and freedoms" and "disproportionate effort" will need to evolve into a certain market practice or be further clarified by courts and regulators.

With whatever available and doable - putting controls and demonstrating compliance to a piece of law , may not be a entirely new thing for most of professionals here. And coming up with a fancy plan to put your resources, time and some serious looking agenda for next few months was an adrenaline job for many GRC professionals at the beginning of 2018. The myth that organizations would struggle to secure funding for GDPR readiness - has fallen on face, most of IT & ITeS has already secured budgets in their 2018 portfolio planning.

What is unique about GDPR is everyone wants to be associated with someway or other to bask in glory of implementation/planning/governance - however no one wants to own it. With so many stakeholders and often working in silos - the overall program lags - integration which essentially defeats the core of GDPR driving - "Accountability".

To better understand their (organisation's) data—where it is, who has access to it and how it’s being used— many organisations are relying on static documents, manual processes, or point solutions. This makes it difficult to establish a holistic view of all in-scope data across the enterprise.

Additionally, they are too reliant on top-down assessments or generic evaluations to calculate compliance ratios. By doing so, data is not validated against the specific, relevant, GDPR principles and therefore there is no guarantee of accuracy. And their assessments are not actionable, meaning while they can help with identifying gaps, IT won’t be able to close those gaps by taking direct control of the actual data.

As described in a recent article at a big data forum the risk for identifying and realizing that your program will have GDPR Blind Spot , serves many additional benefits than just getting a strong risk documentation.

A blind spot in a car is considered to be a location in your viewpoint for which you don’t have a direct view. Knowing the location of your car’s blind spot is an essential part of safe driving and the blind spot is different for every model of car. Similarly, the new General Data Protection Regulation (GDPR)that will be coming into place on May 25th, 2018 present some potential “blind spots” for companies in terms of protecting customer data. Identifying the blind spots in your organization’s GDPR compliance model is of vital importance and—much like the blind spot in varying car models—it differs for every organization. When looking for your company’s GDPR blind spot you need to ask yourself a few questions

How do you measure your organization’s GDPR readiness and define the milestones to address the identified gaps?

How does your organization know with certainty what data they have, where it is, and who is accessing it?

How can your organization calculate their data compliance ratio with accuracy if the data is not validated against specific, relevant, GDPR principles?

And what about the future? Is there a sustainable plan for ongoing regulatory compliance after May 2018?

Well you need to have your mirror adjusted , in forms of appropriate training , incident management and periodic table-top exercise to ensure that you stay on your journey .



About the author

Rakesh Jha

Data & Information - Privacy Engineering

,

FIP CIPP/E RAKESH JHA FIP CIPP Co-Founder of Privacy Virtuoso Advisory GDPR, PIPEDA, HIPAA and ISO27001

Read my other blogs


Comments

Leave a Comment: