I think I may have invented a new phrase today “GDPR Hysteria”, it’s when a company/management team/data protection officer takes the requirements of GDPR and dials them up 11 and this is something I’ve seen a few times now and I’m quite at a loss to explain it.
The closest I can come to is about 6 months before Y2K when a few industry names were saying “the sky will fall in!!” and companies were selling Y2K consultancy because they were “Y2K experts” even though no one had been through this before and It was difficult to tell how certain systems would cope on the big night itself. There were all sorts of stories around nuclear power stations exploding, planes falling out of the skies, power grids going down and what happened? People had a good time, yes, a few legacy systems suffered from date confusion but that was a few edge cases. The world kept on turning, the sun rose and the planes stayed in the sky.
Now, before I carry on, I’m not a GDPR expert. I’m not sure that anyone can call themselves a GDPR expert because a lot of the finer details of how GDPR is interpreted are likely to come from ICO rulings and possibly even court cases. However, I do believe that there are a couple of basic tenets in the GDPR directive that people are getting caught up in:
The right to be forgotten – This is something that people seem to be rather hung up on. It’s an important right and one that a company must adhere to as long as there are no other legal reasons why it cannot be enforced. For example, if you have a legal requirement to keep HR data for 7 years then the right to be forgotten cannot be exercised because it’ll conflict with another law that requires the data to be retained.
Data destruction – I’ve come across some frankly quite ludicrous requirements such as destroying faulty disks and then returning the parts to the vendors. The key thing to remember here is that the vendors operate or sell in Europe, therefore they are legally bound by GDPR as well.
All the directive requires is that the company confirm that they are taking their GDPR responsibilities seriously and that the company has a process for returning failed hardware after considering GDPR requirements. If the company you’re shipping to has told you that they are compliant with GDPR then it’s all good.
Remember, if a company you do work with suffers a breach, it’s not your fault. They are the ones with the duty to report the breach to the ICO. They are the ones who will be investigated for that breach. Now, if your client’s data is exposed there are requirements under GDPR to deal with that but as long as you have a process for doing so the ICO is highly unlikely to have any interest in you. Imagine a company like IBM or Dell or HP suffering a breach, the list of potentially affected customers will run into the tens of thousands.
A lot of GDPR focuses on the need to have considered what data you hold, how that data is used, where it’s used, who it’s shared with and how that data is protected. It’s not there to stop you doing your job, it’s not there to sour relations with vendors as they’ll be operating under that exact same rule so it’s also in their interests to be GDPR compliant to have policies to deal with personal data including what to do if that data is breached.
Now, can we please tone down the GDPR hysteria?