This post is a short one we have prepared ahead of Data Privacy Day. Our most requested slide in Data Protection presentations since 2014 has been our “One Slide Summary of the GDPR”. It has been through a few iterations but still stands up to the task of explaining how the different elements of the GDPR interact. We’ve extended it to include our 11-box model for Information Governance and Information Quality to show how the requirements of the GDPR relate to key governance areas in the organisation.
This graphic is made available to celebrate World Data Privacy Day under a Creative Commons Licence. Share-alike, attribute it, but please do not use for commercial purposes without our permission.
Summarising the GDPR
The General Data Protection Regulation centres on 7 core principles of Data Protection that are essentially a refresh and an update of the 8 core principles that were in Directive 95/46/EC. These principles, however, have to be interpreted in the context of Article 7 and 8 of the Charter of Fundamental Rights and, as indicated by the European Data Protection Supervisor, Article 1 of the Charter as well.
These principles are balanced in the context of a Risk-based approach within the Regulation. What this means is that organisations need to determine for themselves how well their proposed processing and associated controls and governance will support the 7 principles and respect the requirements under the Charter of Fundamental Rights. This Principles Driven framework must inform and guide the governance of processing of personal information, with the “quality” being how well the organisation strikes that balance. The term “Risk Appetite” will likely begin to feature a lot over the next few years, particularly given the emphasis the Regulation places on the context of processing and the nature of the information being processed in sections that largely say “Hey, Controller/Processor… you have to make a decision here (and if you get it wrong….”).
The Governance and Quality focus in the Regulation is evidenced by the semi-mandatory DPO function, the emphasis on documentation of processing (which supports the transparency and accountability principles), and the emphasis on the need for processing and controls to be supported by evidence of their effectiveness. Simply “ticking the box” that training has been done, for example, may not be enough – the test may well be was it done, and has it affected behaviour?
Finally, the empahsis on Privacy by Design/Default is a key cultural driver for organisations that can ONLY be effectively implemented through appropriate governance and change management.
Through the Risk-based approach, we find an emphasis on enforcement and penalties on the other side of the coin. Getting it wrong will be expensive, with maximum fines expressed as a percentage of global turnover in the previous year or a defined amount that must be “dissausive” – no small hits here! The size of the hit can be mitigated through a range of factors, all of which effectively tie back to the requirement for effective governance of information in the organisation and the emphasis on privacy by design/default within that.
The question of “stricter consent” rules will only be answered through consideration of processes and controls (do you have a method to verify age? does it need to have different rules in different Member States? What happens if the rules change?) Likewise the enhanced rights such as the right to Data Portability, the reduced response windows for Subject Access Requests (and the increased amount of information that organisations will need to provide compared to current practices), and the Right to be Forgotten/erased all raise governance and process challenges that organisations need to address. Finally, the question of enforcement against Data Processors makes the governance and control of processor agreements, and associated change control, essential – for both Controllers AND Processors.
And then we have the One-Stop-Shop, and extra territorial application as well to consider.
Under each of those areas there is a wealth of additional detail to discuss and tease out, but as a 1 slide ready reckoner, this provides a good conversation starter.
Linking to Information Governance and Information Quality
Information Governance and Information Quality controls and practices are key to meeting and exceeding the requirements of compliance with the GDPR. After all, the EU Data Protection Supervisor has repeatedly said that the legislation is a “floor, not a ceiling”.
This diagram maps the Governance drivers in the GDPR to a structured framework we have developed that encapsulates key issues in Information Strategy, Information Governance, and Information Quality. We use the 11-box model in a variety of ways.
Why not contact us to find out how it can help your organisation frame your Information Governance change journey to meet the challenge and opportunity of the GDPR.
This file is also available as a PDF