Like millions of other businesses we spent considerable time and effort ensuring that our internal operations were in compliance with the EU’s new General Data Protection Regulation (GDPR) by May 25 and, equally importantly, that they were positioned to remain in compliance after that date. Along the way we encountered and resolved – at least to our satisfaction – some challenging questions about what the regulators intended and how we could best comply with both the letter and the spirit of the law. Here are a few quick observations based on our experience.
One hard truth we accepted early in the process was that there was no place to go for an authoritative interpretation of the regulation. In a perfect world, when we had a question we would have phoned the European Commission and asked them. That, of course, was not possible. A close second choice in that mythical happy place would have been to consult the records of legal proceedings that had been undertaken by the regulators as they enforced the rule. This too was impossible as there had not yet been any enforcement, It was, however, possible to contact the UK’s Information Commissioner’s Office (ICO) and pose questions to them. In some cases we did that, and in some but not all of those cases they provided important guidance. Similarly we treated any direction that came from the Article 29 Working Party was definitive. In many cases, though, we had to proceed without the benefit of direct guidance from the regulators.
We quickly discovered that turning to the Web for opinions on GDPR questions was a two-edged sword. On the one hand, there were thousands of people and institutions such as law firms and consultancies posting their views. On the other hand, these self styled experts often disagreed with each other. So while it was helpful to read and consider what they had to say, we couldn’t always find either consensus or strength of argument to sufficient convince that a particular opinion was correct. Our conclusion was that, in many cases we would simply have to make our own best calls.
With that understanding we adopted the following procedure:
- Think each question through carefully.
- Adopt a final position.
- Document our decision and how we arrived at it.
- Abide by it rigorously.
This procedure gave us the following comfort: In the unlikely event that the regulator were ever to examine our practices, although they might decide that some of our decisions were incorrect, it would be impossible for them to conclude either that we hadn’t given our decisions careful thought or that we were being inconsistent in how we acted on those decisions. Of course we didn’t and still don’t know whether the evidence of our good faith efforts to comply with the regulation would translate to gentler treatment if it turned out that some of our decisions were unacceptable to the regulator, but we consider our process to be good practice regardless of its effect in that hypothetical scenario.
Early in the process of planning for compliance we concluded, as did just about every other business that is affected by the regulation, that we would need to conduct an inventory of datasets we held that contained personal information. We also realised that, for several reasons, we had to map these data sets to the processes that depend on them. As we reflected on this mapping exercise we stumbled across a useful principle: The mapping exercise for the personal information we already held was largely driven by the data in our possession, but our procedures for operating under GDPR would reverse this flow; the processes we choose to implement will drive the collection of data. Because the introduction of new processes that use personal data cannot be done casually under GDPR, the result is a much more comfortable operational stance as it ensures that decisions about collecting and managing new sets of personal data will be given adequate consideration before data collection begins.
A final observation has to do with the Controller and Processor roles defined by the regulation. When we looked across our operation there were many cases where it was immediately apparent that we were the Controller or the Processor or neither for a particular dataset. More surprisingly, there were many cases where our role – Controller, Processor or neither – was not immediately apparent. The seemingly simple task of determining our role and, by implication, our obligations with regard to certain datasets ended up consuming a lot of time and thought, and was probably the single thorniest category of question we encountered throughout the entire GDPR preparation process. The decisions we made in these cases have been recorded and documented using the procedure I have already described.
Because we are a software company were were able to apply some of what we learned to our product, the Enterprise File Fabric(TM). For example, we added a policy option to our file sharing feature which our customers can turn on to require their users to outline the reason why they are sharing data and with whom the data is being shared.
I don’t know with certainty how typical our experiences in dealing with the uncertainties of GDPR were but, from conversations with colleagues who were involved in their organisations’ preparation efforts, my sense is that we were all in pretty much the same boat. The strength of the decisions taken by us on our journey, as with those of other organisations, will become clearer as the practical aspects of the legislation evolve and test cases come to bear, but there is no doubt that because of GDPR organisations across Europe and around the world have collectively put an enormous amount of thought and effort into improving how they collect and mage personal data. For the regulation’s authors this must be a hugely satisfying outcome.by