It is difficult to know how far one must go to be GDPR (General Data Protection Regulation) compliant – do we gold plate everything to ensure we are complaint? Well, obviously not but it raises the question on what approach to take when actually remediating privacy risks.
A lot of the GDPR is at best subjective and at worst, wildly ambiguous. Many of the articles can be interpretable in many different (and significant) ways by different people, different organisations in different industries. In order to respond to this kind of uneven environment, a pragmatic approach to compliance must be adopted to ensure the most appropriate risk mitigation strategies are employed in the right areas. In doing this, we build organisations towards a ‘Defensible Position’ which both acknowledges mandatory items that need addressing in full in terms of both their scope and scale, but also acknowledging that some GDPR requirements can adopt a more typical risk based approach.
Some examples of the areas we see that fall within those mandatory items include areas such as;
- Governance & Accountability
- Retention and Transparency of Processing
- Subject Access Requests
- Breach Notification
And some example areas where we typically believe a risk based approach can be adopted include;
- Data Portability
- Right to be Forgotten
For example, for both of these you perform an analysis of the systems and processes that store and process personal information and based on risk indicators, categorise these into critical, high, medium and low risk bands. Remediation efforts can then be driven by these risk categorisations.
The whole premise of the defensible position allows an organisation to press on with risk remediation and not getting tied up worrying about being 100% compliant, 100% of the time. It means that if the regulator comes knocking 25th May next year, they will be able to sufficiently justify their actions and fully demonstrate the approach they have adopted to tackling GDPR compliance. This in turn, will likely help prevent them from being the TalkTalk of their industry who is made an example of when it comes to handing out regulatory actions and fines.