A funny thing happened on the way to a Brexit conference.
I went to a conference earlier this year on Brexit. As part of the Q&A I asked the question about the effect of the introduction of GDPR legislation on the whole process. The MC proudly got up and said “Don’t worry about it. It is just an IT scam, like the Y2K bug and all you need is to put everything on the cloud, and if you get hacked, it’s their problem, not yours.” In other words, pass the buck. We had a heated debate which got us nowhere, so we agreed to disagree.
The difference between a data controller and processor und GDPR.
Since that time, I have done some further research which supported my original point. There is a clear distinction between a “data controller”, the person who sets the policy and procedure, and a “data processor” who works with the information as defined by the controller. The idea that the person who defines the purpose and perimeters of data capture, can somehow palm off responsibility to an underling would certainly be grossly unfair. The regulations state that, in most cases, the responsibility would be shared. (unless gross negligence on one side or the other).
So what is the point of GDPR anyway?
That point of view also displays a complete misunderstanding of what GDPR is about. The emphasis from our MC is all on the potential “breach” but not on the type, or nature of information held in the first place. (1.9 billion records have been leaked or stolen in the first half of 2017). The complex and fast paced nature of technology makes it virtually impossible to stop all variety of attacks, including employee theft.
What the regulations do encourage is to make sure you have the minimal amount of data be stored on your system to fulfil the stated purpose as defined by the “data controller”. All these issues have been covered in previous articles but the main thrust of the regulations is to take due care and maintain the accuracy of the information in your possession. If there is a data breach, then any unauthorised person would only get access to minimal amount of information, not the mountains of data that you may be keeping for the sake of it. That would be the same issue if you have server or the cloud as the advances in technology allow for greater capacity for the storage of data.
Next in the series we look at issues of cloud technologies in relation to GDPR.
About the Author:
Malcolm Ford has worked in the fields of data migration and analytics for the past 8 years. He has recently combined forces with “The Partners” to provide a comprehensive service to business dealing with GDPR issues.