Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

On of the key failings of the EU legislation is the apparent lack of standard EU approved clauses. They will arrive – at some point. For now, many vendors both inside and external to the EU will need to manage as best they can. We have covered the main contractual relationships required between processors and controllers. However, in brief they are:

• Controllers must only use processors which are able to guarantee that they will meet the requirements of the GDPR and protect the rights of data subjects.
• Controllers must ensure that they put a contract in place which meets the requirements set out in the available guidance.
• They must provide documented instructions for the processor to follow.
• Controllers remain directly liable for compliance with all aspects of the GDPR, and for demonstrating that compliance. If this isn’t achieved, then they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures

One of the major contractual changes between Controller–Processor is going to be the need to keep processing records. Given the nature of the change, if the provider is outside of the European area, this would be an important contractual requirement. It is also an important record of activity if a breach or error occurs.

It seems logical that most companies in the data business would see keeping records of processing activity as a normal standard business practice. Not so it seems.

For analytics (or any procurement platform provider), it may well be worth keeping some form of record of processing activity — if this is not currently a part of operational management. This may cover elements like data refresh receipt, refresh activity, new report generation and any other activity that takes place on the data. Remember, it would make sense to have one processing record for every processing requirement made by a controller. What would this take? A simple spreadsheet entry in most cases.

This may seem onerous, but if suppliers are anonymising or removing data from the transactions records, the who, what, why, where and when of processing maintained in records will allow tracking and follow up of errors if a breach occurs. It is an overhead – but is the basis of managing data more carefully and being able to cope with an audit.
However, as we will explain in a later post, the bureaucracy of the EU knows no bounds. We will introduce the concept of the DPIA, (Data Protection Impact Assessment) shortly.

The DPIA is an interesting concept — quite what anyone would do with these assessments at Supervisory Bodies (given the likely volumes) has to be questionable.

However, prior to that, we have to cover the thorny subject of consents.

Thanks, Tony.

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

It had to happen. In fact, almost inevitable really.

Within a week of the GDPR being implemented, the news story broke.

‘Embarrassing’ leak shows EU falls short of own GDPR data law

Without access to the full article on the UK Daily Telegraph Premium, it is difficult to assess the details of the breaches.

However … the response from a Commission spokesperson suggested that:

“The European Commission is not subject to the strict new data protection law that it has imposed across Europe”.

Well, no surprises there. Given no published EU Commission accounts and constantly changing legislation it does appear somewhat Orwellian.

Ironically, the approach that many EU member state governments have deployed specifically rules them out of breach fines. The Irish government being one. (Source)

There is some logic in this approach.

It makes little or no sense to fine public bodies –- after all, they will pay the fine, reach a point in the annual budgeting cycle where they have a significant deficit –- and be topped up by central government. Take funding from one hand, pass it back with the other.

The United Kingdom has chosen not to follow this option — yet. However, one could predict that it will not take long for prosecutions to occur given government departments track record of personal date and cyber security breaches (within the National Health Service for example).

Not much of a deterrent and a massive public cost to prosecute and collect a revolving door fine.

Like much legislation the EU creates, it is clumsy, lacks detail and confusing. But it’s the law.

Taking a far more cynical approach, the GDPR appears to be legislation that is a Tax Collectors dream ticket.

There is the pretence of “protecting the rights and freedoms of EU citizens” –- whereas the reality is that it is a foolproof way of collecting what is essentially a data-tax from businesses for breaches.

A classic case of a cast iron fist in a velvet glove.

Will post more if the story evolves.

Thanks, Tony!