A ‘Defensible Position’

It is difficult to know how far one must go to be GDPR (General Data Protection Regulation) compliant – do we gold plate everything to ensure we are complaint? Well, obviously not but it raises the question on what approach to take when actually remediating privacy risks.

A lot of the GDPR is at best subjective and at worst, wildly ambiguous. Many of the articles can be interpretable in many different (and significant) ways by different people, different organisations in different industries. In order to respond to this kind of uneven environment, a pragmatic approach to compliance must be adopted to ensure the most appropriate risk mitigation strategies are employed in the right areas. In doing this, we build organisations towards a ‘Defensible Position’ which both acknowledges mandatory items that need addressing in full in terms of both their scope and scale, but also acknowledging that some GDPR requirements can adopt a more typical risk based approach.

Some examples of the areas we see that fall within those mandatory items include areas such as;

  • Governance & Accountability
  • Retention and Transparency of Processing
  • Consent
  • Subject Access Requests
  • Breach Notification

And some example areas where we typically believe a risk based approach can be adopted include;

  • Data Portability
  • Right to be Forgotten

For example, for both of these you perform an analysis of the systems and processes that store and process personal information and based on risk indicators, categorise these into critical, high, medium and low risk bands. Remediation efforts can then be driven by these risk categorisations.

The whole premise of the defensible position allows an organisation to press on with risk remediation and not getting tied up worrying about being 100% compliant, 100% of the time. It means that if the regulator comes knocking 25th May next year, they will be able to sufficiently justify their actions and fully demonstrate the approach they have adopted to tackling GDPR compliance. This in turn, will likely help prevent them from being the TalkTalk of their industry who is made an example of when it comes to handing out regulatory actions and fines.

2 Replies to “A ‘Defensible Position’”

  1. An impгessive share! I have just forwarded this
    onto a co-worker who had been conducting a little homework on this.
    And he in fact bought me lunch because I found іt
    fⲟr him… lol. So allow me to reword this….

    Thanks foг the meal!! But yeah, thanx for spending time
    to talk about this topic here on your webѕite.

Comments are closed.