GDPR is really gaining momentum with umpteen companies, consultants, and
products appearing that will help companies get through the GDPR challenge.
However, despite spending hours reading documents, watching videos, and
studying blogs I am still concerned. The biggest issues I think are around:
Legal Basis for Processing – huge amount of discussion around this topic.
Legitimate Interest seems to be favoured by many people however the ICO
guidelines are so vague – the onus is on the company to document and be able to
prove that this a reasonable approach with no detriment to the subject, but
without specific criteria on which to base your decision. Looks like a risky area, although I accept that a number of people think that this is clear-cut and that I might be just getting a little too paranoid. Maybe we’ll only find out when the ICO take enforcement action against a company using this approach.
Granular opt-in – so, assume you are going for consent, when you present your
form to the data subject just how granular is granular? Can you say, ‘We will
send you account updates, support info and other offers’ and accept an opt-in in
one check box – or is this not granular enough and you should really give the
subject the option to opt-in to one or more of these topics? Maybe this depends
more on what you want to allow the subject to be able to opt-out of?
PIA – what is the required content of a PIA? There is a very useful document on
the ICO web site but this is way beyond what most companies can handle. Is
there a simpler PIA or different way to do this?
Data Flows – as per the PIA – mapping data and data flows is complex. I’ve not
been able to find a site / product that helps in this area. Data flows are again
pretty fundamental and without this it make the PIA impossible and also
definition of processes tricky.
Am I getting too paranoid about this? I want to complete GDPR preparations and
be 100% compliant but with so much uncertainty I can’t see that this is possible.
ICO has a pretty fierce enforcement regime and with the emphasis on companies
being able to prove that they have taken reasonable decisions against uncertain
criteria I think I am rightly concerned.
How are you all feeling? Maybe I just need a holiday!
Good luck all!