GDPR gold rush

I have never been so overwhelmed in my whole life. The GDPR gold rush is here.

I wish I could be excited by the fact, after all I have been predicting this since 2015 even? However, I am terrified by significant shortage of expertise on the market, those who really know what it is all about, versus the false gods. So much false news, and so much GDPR theatre, I just want this to stop, step back and, just stop panicking.

In Privasee, we are struggling to meet the demand, the panic. Our approach is to empower our partners with expert knowledge so they can do what is right for their clients. We are lucky to have Nebu as our Swedish consulting partner, learning partner is Cornerstone, we have other partners also in both Portugal and Malta! We want to make GDPR knowledge accessible to all! We call our consulting partners OWLs, because they have reached a level of expertise (we should know as we’ve trained them) to be able to run this race without Privasee, except for our methods (which are rapidly becoming privacy industry best practices).

R5lE6YCvphKh

My dream is to empower our customers with knowledge, so they are NOT dependant upon us.

My dream is to  demystify this GDPR monster, so that it becomes something we know.

And IMHO dreams are still possible 🙂

Facebook fined €1.2 m in Spain

Facebook (FB, -2.34%) collects data on people’s ideologies and religious beliefs, sex and personal tastes—from its own services and those of third parties—without clearly telling its users what it will do with this information. Read more here.

“In a statement, Facebook claimed the Spanish data protection authority (DPA) was wrong to say it showed people advertising based on sensitive personal data. It said ad-targeting was instead based on the interest people express by “liking” certain content on the social network.”

Of course this is rubbish what FB claim. When I was researching my first book I did some extensive clicking to see what would happen. Hence, if adverts pop-up on my profile proposing that I maybe interested in buying ‘incontinence pads’ as not sensitive personal data, what is?

 

A book for GDPR practitioners

This is the book that Filip Johnssén and myself wrote. Book launch is tomorrow by IAPP in Washington.

book_cover

SARs ex-employee fishing expeditions

An interesting post by By Sarah Thompson, employment lawyer, McGuireWoods.

By Sarah Thompson, employment lawyer, McGuireWoods.

SARs are often used by employees or former employees as a “fishing expedition” to obtain information in the context of disciplinaries, grievances and litigation, rather than for verifying/correcting their personal data. Previous court decisions have held that making an SAR in this context was an abuse of process and not the purpose of the legislation. However, recent cases and the ICO Code have clarified that an employee’s purpose for making the request is not relevant and employers need to respond regardless of whether the employee has an ulterior motive for making an SAR.

  • Disproportionate effort

Employers can refuse to provide information where doing so would involve disproportionate effort. Difficulties throughout the process (from finding, analysing and providing the data) can be taken into account. However, employers must be able to show that they have taken all reasonable steps to comply with the request and, as the ICO Code notes, “should be prepared to make extensive efforts to find and retrieve the requested information.

The DOVE is GDPR for employees!

Why call it the DOVE? Well doves are pretty peaceful and symbolise harmony. This is basically what GDPR privacy awareness training should bring your organisation, an awareness and tranquility.

Sorry for the sales pitch, but I’m pretty proud of the Privasee GDPR privacy awareness training !!!

So far we have it in English, Swedish and Portuguese!

GDPR panic?

There is a mad GDPR panic now. All those companies which haven’t started, or started very late, i.e. end of 2017 or beginning of 2018 are starting to realise that GDPR is not about security, or about fixing the privacy notice, or even responding to the rights of the data subject. It’s much more. It’s about doing it right. It’s about doing what should have been done before in order to benefit from business efficiencies.

Portability

Of course, they are starting to realise for example, that in order to achieve the 72 hour personal data breach notification requirement, that an incident management process needs to be in place and effective. That in order for this to work, even if you are using ITIL/ITSM the industry standard in incident management, it’s useless if you haven’t fixed your logging, i.e. what are your systems logging, how is it captured and correlated into something which means something. If you haven’t a baseline on what is ‘normal’, how do you know what is an anomaly?

The problem of testing on live data, not anonymised test data has reared its ugly head. How far can you go to anonymise before you lose utility? Or maybe pseudonymisation is the way forward, and then the test environment needs to adhere to the same GDPR demands as production.

In order to control the flow of personal data, they are starting to realise that you need to think on how the business process flows, over internal operations and processors. What are your processor agreements looking like? Have you placed strong requirements in the form of SLOs and metrics into your contract?

And, in order to achieve data protection by design, by default, every employee needs to know what is personal data, what is processing, and why should they care? This is needed in order to capture ‘invisible personal data’. Personal data which is being collected and processed by employees, and even they don’t know they are doing it wrong.

The challenges are multifaceted, and every company has different priorities depending upon their business, and how they have evolved. For example, why spend time getting legal to review a 100 contracts for GDPR compliance, when maybe you should be looking at how your business grew, was it through acquisitions? In this case maybe it’s time to look at taking a central governance approach to how you do business from here-on?

GDPR is a change management journey, it is about people, processes, and in the best situations, it’s about empowerment of every individual, and every nuance of business operations. It is enablement. It is a time to think new, and do it right!