GDPR …. and Snake Oil
2nd November 2017
The GDPR countdown relentlessly continues, and even the most reluctant of organisations are starting to realise that preparatory activities will be needed. For those with little or no previous experience in providing effective protection for personal data (for the moment, let’s overlook the fact that this should already have been in place under the UK Data Protection Act of 1998) many are seeking external assistance from the rapidly growing list of “GDPR Experts” (either as consultants or software providers). Whilst many claim to offer a “silver-bullet” that claims full GDPR compliance can be quickly and easily accomplished, their customers are starting to discover that this is rarely the case.
We’ve created this blog to help business owners and professionals from all sectors to understand what to look for if they are reaching out for external support.
Firstly, we need to remember that “data protection” and “information security” are closely linked, so trying to address the challenges contained within the many Articles and Recitals of GDPR will require a detailed understanding of both areas. Too many GDPR experts are attempting to provide GDPR advice without identifying or resolving underlying information security problems, which is setting the customer up for significant challenges downstream.
Article 35 of GDPR conveys the requirements for “privacy by design”, and a comprehensive Data Protection Impact Assessment of high-risk data processing activities will seek to assess the readiness of many different areas. It’s not all about the writing of new procedures to deliver data subject rights, or the commercial changes needed to protect the data controller and any data processors. At the heart of such an assessment should be analysis of effective technical and organisational controls, secure application development, robust monitoring activities and ongoing training programmes – which should extend beyond direct employees to contractors and other data processors within the supply chain.
Ensure you’re short-listed GDPR experts are asked to demonstrate extensive, practical experience in these areas, perhaps ask them to identify the real-world examples of data protection issues that weak or absent security controls would have prevented. Beware of theoretical explanations of what could go wrong that lack the experience of an individual who has actually confronted such challenges in industry. Lots of experts have only recently established their GDPR-related enterprises and you should be seeking capability that has demonstrable longevity, experience and success. Asking for details of reference clients, and actually speaking to them, will further validate that what is being promised can actually be delivered.
There’s a degree of comfort that can be obtained from the certifications and credentials of your potential GDPR expert. Evidence of formal GDPR training – or better is training as a formal Data Protection Officer – is essential and referring to our earlier observations about the relationship with information security, a Certified Lead Implementer or Lead Auditor for ISO27001 (the international standard for information security) means you will be talking to somebody who has proved that they know their stuff.
Let’s re-examine the “silver bullet” approach that claims to solve everything required by GDPR. Firstly, this doesn’t exist. Really. It doesn’t. And be sceptical of anyone who claims that it does. GDPR is a complex framework of requirements, and whilst competent expert help will assist you in making the right preparations, most of the activities required will be down to you and your employees to implement and operate. No single software solution can rewrite your commercial contracts, train your staff, monitor for data breaches and respond to data subject access requests. A pragmatic expert will ensure you have an understanding of what each Article or Recital within GDPR actually requires, provide you with sensible guidance on how to prepare for and implement each, and be on hand to review your work to ensure that it can achieve and maintain an acceptable level of compliance with GDPR.
We regularly talk about the positive values of GDPR, in delivering better protection of the rights of data subjects in our increasingly digital world by providing a more robust framework of data protection than we have seen to date. However, we can’t ignore the well-publicised penalties that will accompany non-compliance with GDPR, so it’s extremely important that any external assistance that is engaged will make a positive difference to reducing the risks of non-compliance and being the recipient of the associated penalties.
At InfoSaaS, our professional team have over 20 years’ experience in implementing, delivering and maintaining information security and data protection services that provide demonstrable protection and resilience to our customers. We have a selection of focused cloud-based solutions, including “Assure” (our IT risk management solution for ISO27001) and “UtopiaR” (our Data Protection Impact Assessment solution for GDPR), to name but two. And we can willingly demonstrate our certifications, credentials and satisfied customers.
The only thing that we’re missing is the snake oil. Sorry.