GDPR: Don't be an Ostrich

Start taking accountability – all the efforts that you make towards tightening the controls around the personal data you process are going to be worth it.

Anghrija Chakraborty

Anghrija is a legal and statutory risk and compliance specialist, and in her current role, she also manages her employer’s alignment with the General Data Protection Regulation (GDPR), wherein she offers data protection advice, supports data protection impact assessments and audits, trains employees, responds to data protection related queries, and acts as an intermediary between data subjects, the company’s business units, senior management, and the data privacy office. She is a part-time blogger, small human, a Millenial, and a feminist. She earned a B.A. in English Literature, and uses that as an excuse to write about books while swearing a lot. She then switched gears to studying law, and now manages risk and compliance. At leisure, she reads books, writes, curses at popular fiction by Chetan Bhagat, and posts silly dog videos on Facebook. Her interests are books, dogs, music, podcasts, and Oxford commas.
Role: Anghrija is a guest blogger at Kinant. Opinions expressed are her own and not necessarily those of Kinant.

In a Sandpit

It is perhaps not the best analogy, really – but when I speak to peers in other companies about the EU General Data Protection Regulation (GDPR), or personal data protection in general, it reminds me of me, circa 2013-14, when I seemed to be at a terrible crossroad in my life. You might ask me - “How is that even related to the issue of GDPR?” Although my memory is slightly fuzzy about the actual events around that time, I can tell you this clearly - I stuck my head in a sandpit and pretended that I would not have to make a choice, and that the dilemma I was presented with would just disappear.

The thing is that when I speak with people about GDPR, I feel like they are being ostriches with their heads in the sand. Not that I think that GDPR is a maelstrom, but pretending that it does not apply to you won’t make it go away. And, with fines in the range of 10-20 million Euros, or a certain percentage of your turnover, let’s face it – do you really want to be the proverbial ostrich?

"It is just available business data anyway"

The most common thing that I hear is – “Well, we do not process any personal data. It is just business data.” Last time I checked, as part of business information or corporate information, one has access to Active Directories. Truth is that those Active Directories on your Outlook - with the names of your clients/employees, their locations, their phone numbers, official addresses, etc. - those are personal data, and belong to data subjects from the European Economic Area (EEA). And, just like that, GDPR becomes applicable.

This brings me to the inevitable segue – “But those are official email addresses, available on their public profiles. Those are out there in the public. How are those personal?" Well, to the extent that an official e-mail address identifies a living being, it is personal data. It does not matter if it out there on LinkedIn or other professional profiles. Being out there does not make it less sacrosanct.

"We have it under control - we have a privacy policy"

I remember this coffee table conversation that I had with a fellow compliance person from a similar industry. This was when I was just starting on my data privacy journey. I was curious to know about data privacy standards at his company, about how they were complying to the myriad laws and regulations. His laconic reply – “We have a privacy policy.” Let me tell you right now that this individual is not an outlier. I have had this very same response come out of multiple conversations.

The thing is that one cannot have a privacy policy, and expect people to fall in line with it just by having it published on the company portal or intranet. You have to have a compliance program wrapped around the concept of data protection that emphasizes on controls, and training and awareness. That privacy policy is not going to be of much help when data privacy authorities come knocking at your door if a breach happens. Pretending you are not aware of a privacy incident will not make you less accountable.

"Our employees are not rogue!"

This one is something that I hear from several senior people. “Our employees aren’t rogue. They take care of privacy and confidentiality.” Well, your employee does not have to have malafide intention to cause a data breach. They just have to carry a laptop home and open it in full view of others, in a jam-packed subway train, to work on some data – lo and behold! – someone takes a quick snapshot and shares it with another party.

Okay, you might think that is far-fetched. Closer to home – an HR personnel ends up sending a spreadsheet full of employee personal data to someone in the audit team, without any filtering or encryption, or any evaluation of what data is really required in order to fulfill the audit purpose, and they end up giving unauthorized access (that is breaching the law, by the way).

Now is the Time to Gear Up

In the run-up to GDPR (May 25, 2018, is the deadline, you guys), you must stop burying your head in the sandpit. GDPR sees you!!!! Start taking accountability – all the efforts that you make towards tightening the controls around the personal data you process are going to be worth it.