Yet Another GDPR Post
3 min read

Yet Another GDPR Post

Yep, I'm sorry. I know you're all sick of hearing those 4 letters, but I promise I'm not going to use this to try to force %randomVendor%'s product down your throat.

Quite the opposite, actually.

Like you, I've been inundated by seemingly every vendor under the sun's emails over the past year or 2. I've read a few of them. I've sat on a number of webinars. Some of their products are pretty neat. In fact: A LOT of the products out there are pretty neat.

NONE OF THEM ARE A MAGIC BULLET FOR GDPR. A next generation firewall won't fix things for you. A backup application won't fix things for you. An antivirus program won't fix things for you. Some cool data discovery and cataloguing tools won't fix things for you.

A lot of my customers have spoken with me about GDPR and it seems that 2 things are clear: people are either concerned about GDPR, but don't know where to start or people are burying their heads in the sand, and likely will until some fines are handed out.

The biggest confusion seems to be that businesses aren't actually abiding by existing Data Protection regulations, because the ICO (who is responsible for enforcing the UK Data Protection Act 1998) has been largely seen to be toothless. A number of high profile breaches in the past years appear to have resulted in negative publicity and nothing more: Talk Talk, for example still appear to be trading with little by way of ill effects after sucking up a £400k fine for failing to protect the access of data of 156,959 customers, including the bank account and sort codes of 15,656. Despite this, there is a general feeling in certain businesses that not bothering to cover the bases required to comply with DPA is worth the risk to the business - even if they did get caught then the cost to protect against these breaches is likely higher than the fine.

Don't be one of those companies. Know what personal data you hold (this includes your HR records, customer data in your CRM and marketing databases - definition lifted from the ICO website

What information does the GDPR apply to?

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about >people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).

The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

Note that just because you have pseudonymised data that doesn't mean that you can take the data out of scope for GDPR.

You can't just ignore GDPR if you are outside of the EU if you do business with folks in the EU (and as such hold their data).

You can't just ignore GDPR if you outsource the processing of your customer data to a third party - you are liable as a Controller.

Know your data holdings, and have a plan to protect them. Have a plan to handle a data breach. Appoint someone to be responsible for that plan, and revisit it regularly.

Above all: don't bury your head in the sand. The clock is ticking - May 25th 2018 is your line in the sand.