GDPR: Don't be an Ostrich
Start taking accountability – all the efforts that you make towards tightening the controls around the personal data you process are going to be worth it.
In a Sandpit
It is perhaps not the best analogy, really – but when I speak to peers in other companies about the EU General Data Protection Regulation (GDPR), or personal data protection in general, it reminds me of me, circa 2013-14, when I seemed to be at a terrible crossroad in my life. You might ask me - “How is that even related to the issue of GDPR?” Although my memory is slightly fuzzy about the actual events around that time, I can tell you this clearly - I stuck my head in a sandpit and pretended that I would not have to make a choice, and that the dilemma I was presented with would just disappear.
The thing is that when I speak with people about GDPR, I feel like they are being ostriches with their heads in the sand. Not that I think that GDPR is a maelstrom, but pretending that it does not apply to you won’t make it go away. And, with fines in the range of 10-20 million Euros, or a certain percentage of your turnover, let’s face it – do you really want to be the proverbial ostrich?
"It is just available business data anyway"
The most common thing that I hear is – “Well, we do not process any personal data. It is just business data.” Last time I checked, as part of business information or corporate information, one has access to Active Directories. Truth is that those Active Directories on your Outlook - with the names of your clients/employees, their locations, their phone numbers, official addresses, etc. - those are personal data, and belong to data subjects from the European Economic Area (EEA). And, just like that, GDPR becomes applicable.
This brings me to the inevitable segue – “But those are official email addresses, available on their public profiles. Those are out there in the public. How are those personal?" Well, to the extent that an official e-mail address identifies a living being, it is personal data. It does not matter if it out there on LinkedIn or other professional profiles. Being out there does not make it less sacrosanct.
"Our employees are not rogue!"
This one is something that I hear from several senior people. “Our employees aren’t rogue. They take care of privacy and confidentiality.” Well, your employee does not have to have malafide intention to cause a data breach. They just have to carry a laptop home and open it in full view of others, in a jam-packed subway train, to work on some data – lo and behold! – someone takes a quick snapshot and shares it with another party.
Okay, you might think that is far-fetched. Closer to home – an HR personnel ends up sending a spreadsheet full of employee personal data to someone in the audit team, without any filtering or encryption, or any evaluation of what data is really required in order to fulfill the audit purpose, and they end up giving unauthorized access (that is breaching the law, by the way).
Now is the Time to Gear Up
In the run-up to GDPR (May 25, 2018, is the deadline, you guys), you must stop burying your head in the sandpit. GDPR sees you!!!! Start taking accountability – all the efforts that you make towards tightening the controls around the personal data you process are going to be worth it.