Technique and ethics: the bright sides of GDPR
A lot has been said and written about the GDPR regulations, usually with a threatening undertone. GDPR is difficult and the fines are immense. However drastic, GDPR has a number of positive aspects. GDPR offers many opportunities to bring your own information provision to a higher level. It is the perfect occasion for a big spring cleaning of data management.
GDPR touches two major domains: the technology behind data management on the one hand and the human interaction with data on the other. The technology relates to the systems, the communication channels, the storage, security; in other words the ICT facilities of the organization. At least, when it comes to digital data. The human side is about policy, ethics, enforcement and communication. In fact, the GDPR is an excellent reason to clean up the data housekeeping of companies. GDPR forces to account for the handling of personal data. Data concerning customers, prospects, partners and (ex-) employees. And that is also an ethical issue: are you doing the minimum to comply with the rules (the letter of the law) or do you act on behalf of the interests of those involved (the spirit of the law)? Technically everything is possible, but from an ethical point of view, not everything is appropriate.
Let’s start with the IT side. How do we make it GDPR-compliant as quickly as possible? This can be very simple, but with a giant step: bring all applications and data to the cloud, and get rid of a lot of security headaches at once. Serious cloud and SaaS providers such as Google and Salesforce are fully GDPR compliant. They have all possible certifications. Their security is at a level that most organizations can only dream of. A level that most companies will never achieve on their own. Your data and access to it are, under certain conditions, safe in the cloud. By going to the cloud, your IT challenge is resolved and time and energy are won to address that other issue of GDPR: the organizational side of it.
This side is easier to solve than you might think: by a multidisciplinary approach. After all, it is not a solitary legal issue. It is mainly a process issue. A question that is mainly related to marketing and HR, two departments that, by nature of their roles, work a lot with personal data. They can explain process experts how they handle customer and staff data. The IT department or enterprise architect knows – if all goes well – which applications are used when processing personal data. Based on this information, an action plan can be made for setting the rights that customers and employees have when it comes to viewing, changing and deleting their data. Once that plan is complete, it will be up to the lawyers to test whether it also cuts legal ground. That is the correct order.
GDPR focuses on six relatively simple basic rights of European citizens (in their role of customer or employee) and the associated processes. Translate these six consumer rights into business processes and you are 80% ready; the rest is legal hair-splitting. These processes are carried out by people and supported by IT. Employees must be trained in how they can handle personal data – and especially in what is not allowed. And the supporting IT must be arranged in such a way that employees can easily keep to the agreements made. This can be done by automating data decision making. For example: assigning access rights to personal data based on roles and rights (RBAC – Role Based Access Control). Or completely automating the right to be forgotten, which means that you can remove the data of a customer from all your systems with just one push of a button, with the exception of the data that are subject to retention.
Another nice aspect of GDPR is that this regulation elaborates on the privacy legislation that we have known in the Netherlands for some time: the Personal Data Protection Act and the Data Liability Notification Act, which was introduced two years ago. This means that you can build on what you have already implemented in the context of these laws. That is often already quite a lot.
Cooperation g-company and Qhuba for GDPR-compliance
Qhuba, the digital strategy execution company, and g-company work together to help companies become GDPR-compliant in time. Qhuba covers the organizational aspects of GDPR, while g-company helps to move to the Google Cloud and/or to Salesforce.
Would you like to know more about the sunny side of GDPR? Contact us, we are happy to help you with the big spring cleaning!
Would you like more information about the security and compliance capabilities of Google Cloud? Click here to read the report (in Dutch).
This blogpost was written by Frank Leevendig, partner Digital Transformation and Security & Privacy Qhuba, firstname.lastname@example.org, and Jeroen Hovinga, Business Development Manager g-company, email@example.com.
Also read Jeroen’s blogpost on GDPR on LinkedIn.