GDPR, is it just an IT thing?
I was at my local the other night and overheard a group of co-workers saying that they had the whole GDPR stuff “sussed” as they
just bought licences for software that will sort it out. Define problem, buy solution, plug the hole, job done. I have heard of other stories of developers working on a “GDPR in a box” that will be the “all in one solution” that will somehow collate information from multiple sources and somehow magically clean up your data ready for May 28th. This is very much a compliance or “IT’ approach. We need on-line security so we buy a firewall. We don’t want the hassle, so put everything in the cloud. The emphasis from the business community – and therefore software vendors – is to make everything easy, counting the number of clicks, or making everything “user-friendly” – anything to make the problem go away. Dumb it down and free it up. This is where the concept of ‘Privacy by Design’ comes in.
What is Privacy by Design?
One of the principles, which you will hear of more and more, is “Privacy by design”. I have heard it said that in future many legacy software solutions, which currently comply with the GDPR framework, will have “client confidentiality” built into future versions. My take on it is that the authorities want get business owners to take stock and consider all aspects of keeping the data, not just playing it safe with the minimal amount of effort for the purposes required. Basically, they want you to stop and think about what data you hold, the issues it raises, what you are going to do about it and the positive action you are going to take towards that goal. Adding another software patch just ain’t gonna cut it.
How does GDPR effect software?
If you consider the software in your possession, there will be multiple different packages – Outlook, Excel, Word, Sage or Xero, an Access database, CRM, Warehouse systems, Auto-Cad for drawings. That alone requires a distinct approach to each package as each has a separate function and purpose. Even though vendors will be incorporating the principles of “privacy by design” in their upcoming updates and future products releases, there is still the other half of the battle in terms of how the software is deployed and used. There is no point redesigning the software package if the way it is used does not fit the purpose of client confidentiality. This should be addressed as part of the “privacy impact assessment” and applied accordingly.