What’s the most important part of the GDPR for you?
Graham Jennings, March 14, 2018
Different teams will be concerned with different Articles, but the leadership team must see the whole
The ancient Indian parable of the blind men and the elephant tells the tale of a group of blind men who encounter an elephant for the first time and then attempt to describe to the others what they feel. As each cannot see the whole their stories vary and no agreement is reached.
As I work on implementing the GDPR this parable has a strange relevance. Depending on which team you work with they all have different interpretations as to what is the most prominent part of the legislation based on their needs.
1. Marketing. Clearly Article 7: Conditions of consent will be vexing your marketing team. How will they bring their databases into line to meet the requirement of capturing consent that is 'freely given, specific, informed and unambiguous'?
2. Security. By contrast, the security team is more interested in Articles: 32-34 Security of personal data, along with the big stick of Article 83: General conditions for imposing administrative fines. The organisation still has to protect information as before but life has become a lot more stressful knowing that fines for breaches are going to be much larger.
3. Information rights. Hard to assign a team to this one, it may be legal or it may be customer services depending on the type of organisation, but whichever team it is they will be studying Articles 12 through 23: Rights of the data subject hoping that no-one is going to exercise those rights on 26 May.
4. Data governance. Article 5: Principles relating to processing of personal data with its purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality principles provides a handy framework for giving some legal clout to your current governance framework.
5. Processing agreements and data transfers. Assorted operational departments are going to be demanding new contracts and assurances based on Articles 28-30: Controller and processor and international transfers of data (Articles 44-50: Transfers of personal data to third countries or international organisations). There is going to be no peace until they are happy. Getting it right in this area could help your organisation gain a competitive advantage.
Different parts of your organisation will be seeing the GDPR through different lenses. The one group that has to see the whole with 20/20 vision, and hopefully not avoiding the proverbial elephant in the room, is the senior leadership team. They need to fully understand Article 5 and 'shall be responsible for, and be able to demonstrate compliance with' the whole regulation not just its several parts. I'll avoid the rather too obvious elephant analogy of advising you not to get trampled by the herd of GDPR consultants, law and tech firms offering their services in the rush to help you hit that 25 May deadline, but remember that the gestation period of an elephant is two years … the same time organisations have had to get ready for the GDPR.
Graham Jennings is the data compliance manager at London Business School
Want to find out more about GDPR? Watch our webinar in partnership with Sage People at 12 today