Speaking at the GDPR Summit London, Ardi Kolah, Editor-in-Chief, Journal of Data Protection & Privacy, rammed home the message: GDPR is about trust and accountability.
The great novelist Graham Greene once wrote a spy thriller called ‘The Human Factor’ and a riveting read it was too. Today, speaking at the latest GDPR summit, Ardi Kolah began his talk by discussing the human factor in GDPR, he was not talking about spies, but then again, GDPR represents the opposite to that.
It is a mistake if your starting point, when looking at GDPR is fines or sanctions, he suggested.
To the contrary, he said, trust is the starting point. If they can create trust, companies can do more not less with personal data.
There are seven principles of data protection covered by GDPR, said Ardi.
He began by listing six of them:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Integrity and confidentiality
But, he argued that the most important of the seven is the data accountability principle: The Data Controller shall be responsible and must be able to demonstrate and verify compliance with GDPR.
“The key is to have a plan, ”Ardi suggested. You can not eliminate risk altogether, but you can minimise it.
“You will have a data breach,” he said ominously. “But you need to have done enough to ensure a breach does minimal harm.” And you need evidence to show you have taken the necessary steps to minimise risk.
He then turned to the issue of consent versus legitimate interests. The risk associated with consent relates to how freely it is given - an employee may for example feel that have no choice but to give consent.
This is why “the vast majority of data will be held under legitimate interests,” said Ardi.
But Ardi reminded us that data that is held must be “adequate, limited and relevant and is necessary for the purposes for which it is processed.”
Legitimate interests also makes the need for a privacy agreement paramount.
But just remember, transparency is vital, and accountability is essential to ensure GDPR is given the priority it requires.