In a Sandpit
It is perhaps not the best analogy, really – but when I speak to peers in other companies about the EU General Data Protection Regulation (GDPR), or personal data protection in general, it reminds me of me, circa 2013-14, when I seemed to be at a terrible crossroad in my life. You might ask me - “How is that even related to the issue of GDPR?” Although my memory is slightly fuzzy about the actual events around that time, I can tell you this clearly - I stuck my head in a sandpit and pretended that I would not have to make a choice, and that the dilemma I was presented with would just disappear.
The thing is that when I speak with people about GDPR, I feel like they are being ostriches with their heads in the sand. Not that I think that GDPR is a maelstrom, but pretending that it does not apply to you won’t make it go away. And, with fines in the range of 10-20 million Euros, or a certain percentage of your turnover, let’s face it – do you really want to be the proverbial ostrich?
“It is just available business data anyway”
The most common thing that I hear is – “Well, we do not process any personal data. It is just business data.” Last time I checked, as part of business information or corporate information, one has access to Active Directories. Truth is that those Active Directories on your Outlook - with the names of your clients/employees, their locations, their phone numbers, official addresses, etc. - those are personal data, and belong to data subjects from the European Economic Area (EEA). And, just like that, GDPR becomes applicable.
This brings me to the inevitable segue – “But those are official email addresses, available on their public profiles. Those are out there in the public. How are those personal?” Well, to the extent that an official e-mail address identifies a living being, it is personal data. It does not matter if it out there on LinkedIn or other professional profiles. Being out there does not make it less sacrosanct.
“Our employees are not rogue!”
This one is something that I hear from several senior people. “Our employees aren’t rogue. They take care of privacy and confidentiality.” Well, your employee does not have to have malafide intention to cause a data breach. They just have to carry a laptop home and open it in full view of others, in a jam-packed subway train, to work on some data – lo and behold! – someone takes a quick snapshot and shares it with another party.
Okay, you might think that is far-fetched. Closer to home – an HR personnel ends up sending a spreadsheet full of employee personal data to someone in the audit team, without any filtering or encryption, or any evaluation of what data is really required in order to fulfill the audit purpose, and they end up giving unauthorized access (that is breaching the law, by the way).
Now is the Time to Gear Up
In the run-up to GDPR (May 25, 2018, is the deadline, you guys), you must stop burying your head in the sandpit. GDPR sees you!!!! Start taking accountability – all the efforts that you make towards tightening the controls around the personal data you process are going to be worth it.
Anghrija is a legal and statutory risk and compliance specialist, and in her current role, she also manages her employer’s alignment with the General Data Protection Regulation (GDPR), wherein she offers data protection advice, supports data protection impact assessments and audits, trains employees, responds to data protection related queries, and acts as an intermediary between data subjects, the company’s business units, senior management, and the data privacy office. She is a part-time blogger, small human, a Millenial, and a feminist. She earned a B.A. in English Literature, and uses that as an excuse to write about books while swearing a lot. She then switched gears to studying law, and now manages risk and compliance. At leisure, she reads books, writes, curses at popular fiction by Chetan Bhagat, and posts silly dog videos on Facebook. Her interests are books, dogs, music, podcasts, and Oxford commas.
Role: Anghrija is a guest blogger at Kinant. Opinions expressed are her own and not necessarily those of Kinant.