You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.
The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?
First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.
Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.
I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.
Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.
What we do have however is an indication of who the world’s biggest muppets are. For example:
…and the list goes on and on.
As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.
If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.
I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.
Therefore both of the following are true:
- The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
- The providers of the guidance had no clue what they were doing
I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.
Here are some of my favourite vendor emails [paraphrased]:
- “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
- “Unless you read and sign our new terms and conditions we will cease all communication.”;
- “Our database of customers’ email addresses, including yours, will be deleted.”
- “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
- “Our website is not available to any European member state…”
Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body
If you’re reading this, you likely fall into 1 of 3 camps:
- You are horrified at the concept and can’t wait to tear me a new one;
- You actually think I may be able to help you make lot of money; or
- You know me and realise that the title is nothing but click-bait
If 1., then good for you, I would do the same. If 2., then you’ve come to the wrong place unless you’re prepared to put in significant effort. If 3., then you’re right! 🙂
However, the fact is that there is a lot of money to be made in GDPR, but you only deserve it if you are providing true, long-term, benefit to your clients. Otherwise, kindly stay away. This goes for consultants and product vendors alike; do business with integrity, there’s simply no need to exploit those less knowledgeable. Unfortunately, the vast majority of people with whom I come into contact still haven’t even read it, leaving the door wide open for those intent on exploitation.
So where is this money I’m talking about? Where is it all going to come from? Simple, almost every organisation doing business in, and with the EU will have to make adjustments of some sort. Some more than others if you’re following the whole Facebook scenario. There are some that think by ‘hiding’ the data overseas that they have avoided the issue, but these people are naive in the extreme.