Was there any common sense in GDPR in the year of 2019?

GDPR Tech had it’s third year and anniversary in December 2019. Now it is good time to look back what has been accomplished. There are always things to do, also from our side.

Since the beginning of the company our motto has been: “In GDPR related issues, common sense is allowed”. With that motto we mean that GDPR covers a large area, and you shouldn’t overact or underestimate it. There are many elements for being “GDPR compliant”, but don’t overdo. Especially don’t focus only on e.g.  documentation, and forget to accomplish actual corrective actions.

GDPR has been considered to be complex and difficult to implement. To simplify GDPR compliance, risk-based approach is the easiest way on the way to compliance. Sweet and simple. We control and/or process living individuals’ data. GDPR sets the frames how we can use that data. One of the goals is and has been to harmonize national legislation to GDPR, thus rules being the same all over the Europe. Intention is to support individuals, not to stop normal business operations.

Why has this regulation been introduced as everybody follows the law and takes such good care of all data?

Well. There are several reasons for that, e.g. data breaches, companies selling our personal data, and political influencing based on personal data.  Many companies make good profits with selling our personal data to third parties, be it for sales, marketing or illegal purposes. Some of the companies really believe that they do own YOUR and my personal data. Yep, that is your data, not Googles or Facebook’s.

In Europe GDPR is a reality and that reality is here now

But is it here? After 25^th May 2018 nothing happened, and scaremongering consults apocalypse vanished to void? In reality it has taken more time as cases are complex.

Think about these examples: has there been any “privacy by design/default” or common sense involved?

• Airline carrier in UK left webpages without patches (technically, those boring cybersecurity and updates to components). About 500 000 (0,5M) individuals’ personal data was copied to third party, possible giving data to hackers in big time. Would you feel comfortable to be one of the many?
• Municipality in Norway and its school stored without protection pupils’ passwords and login information in one file, which contained also access data of under-age. Would it be happy to realize, that many of the other pupils have had access to your kid’s data?
• Hospital in Germany mixed patients when invoicing them, and many patients got treatment bill with somebody else’s patient data. Your kid, who’s an exchange student in Germany, is she one of the winners of being involved?

Yap, we also think that this kind of things should not happen. Local authorities in these countries were thinking the same way, and when the gentle nudging did not help, they sanctioned the orgs with tens of thousands to millions of euros, depending on the case and its level of severity.

What to do to be compliant in 2020? Can we do a project, one-off, lift-and-shift and off we go?

Our approach to GDPR readiness is divided to four sections, which the following pie presents. (those who have met me, have seen my horrible pie presentations in whiteboard, sorry).

• Regulation, legal affairs, responsibilities, typically things like contracts, due diligence, data processing agreements and so on. (in many cases paperwork only, but this is also required)