GDPR: How Much Compliance is Enough?

I was asked the equivalent of the subject question the other day, and realised that perhaps the demonstration of compliance is not quite as obvious as I have made it out to be in previous blogs.

And by ‘obvious’ I don’t mean ‘simple’, because this has always been simple.

The word ‘appropriate‘ appears 115 times in the GDPR final text, and the word ‘reasonable‘ a further 23, but if you don’t know how to define those things in relation to compliance for your organisation, how do you know when you’ve done enough? Or too much? The balance is as important to your business as compliance itself.

Let’s start with a definitions of ‘reasonable‘ and ‘appropriate‘:

  • Reasonable – in compliance terms, this would be based on precedent (i.e. is readily comparable to an equivalent scenario that has already been deemed acceptable), and is a mature and established practice, even in data protection law;
  • Appropriate – depends entirely on what needs to be deemed appropriate. e.g.:
    • Information Security – which is defined by the output from the Risk Management processes;
    • Consent – which depends on the data processing operation(s);
    • Legitimate Interest – which depends on the relationships between the stakeholders;
    • ..and so on.

So by asking “How much compliance is enough?“, you’re really asking “How do I demonstrate appropriate compliance (and not get fired for missing the mark or spending too much)?“.

Grossly simplified, you have 2 extremes from which to choose;

  1. Spend a small fortune to make sure you’ve covered absolutely everything, and
  2. Do just enough to give the appearance of compliance.

In actuality, neither extreme is viable; you can never guarantee that you’ve covered everything, and you can’t ‘window dress‘ compliance. In other words, you have to demonstrate that you have made best-efforts in your attempt to achieve and maintain compliance, while “taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected“.

You would never spend £100,000 to get GDPR compliant if the personal data you have is only worth £1,000 to your business and represents little to no risk to the data subjects if lost. Right? But nor could you justify NOT spending £1,000 to protect £100,000 worth of highly sensitive data.

So taking one aspect of a GDPR compliance project as an example (data discovery), what does this look like in the real world? You have:

  1. made every reasonable effort to discover all repositories of personal data – this can be a manual process but is clearly enhanced significantly via a technical solution;
  2. mapped all repositories of personal data to the processes that utilise them – and deleted all others!;
  3. ‘legalised’ the remaining processes.

The above is the part of the project to achieve compliance, the maintenance of compliance is demonstrated by:

  1. a documented and continuous risk management process that encompasses the current data processing, the capability of the existing infrastructure, and the prevailing threat landscape;
  2. the implementation of additional controls (as necessary); and
  3. an acceptance by senior leadership (usually the Board of Directors) of the residual risk.

The BoD can never use the phrase “We didn’t know the data was there!” (because of the accountability principle), nor can they accept the ‘appearances only’ option if they know the data is there and can’t justify its continued existence.

What this all means for defining ‘appropriate’, is that compliance can only be defined by the BoD. To do that, they will need assurance that someone(s) has/have:

  1. found as much personal data as possible in the initial discovery exercise – allowing for immediate risk reduction;
  2. helped map the personal data flows to business processes for subsequent legalisation and reporting (if required) – achieved compliance;
  3. ensured that unauthorised personal data is not introduced – is maintaining compliance.

So the validation of ‘appropriate’ is now covered by the fact that:

  1. the data discovery methods used have met the intent of “state of the art and the costs of implementation“;
  2. there are fully defined inputs into the risk management process(es), and
  3. the BoD’s has everything they need to make decisions for which they will happily accept accountability.

Not sure if the above even makes sense, I tend to ramble, but what I’m trying to say is that the demonstration of ‘appropriate’ is as established a mechanism as demonstrating ‘reasonable’. All you need to do is replace precedent with process.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.