This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.
Article 5 of the General Data Protection Regulation (GDPR) sets out a series of principles for the organisations to follow. These principles set out the requirements for an organisation to follow to process and protect personal data.
The GDPR advocates a risk based approach to ensuring adherence to these principles. How each organisation approaches the mitigation of any operational risk associated with the processing of personal data will be unique to each organisation. Compliance with any set of standards or regulations should not be seen as a simple box-ticking exercise. Rather this regulation is designed to ensure that consumer rights are protected through cultural and behavioural changes being embedded into an organisation. The notion of “privacy by design” needs to be at the very heart of any organisation when considering the risks associated with processing personal data. This shift in approach is not something that can be easily assessed or measured.
This approach is not new. The Data Protection Act 1998 also used a set of six key principles to enshrine the protection of personal data. All organisations have been operating under these terms for the last 20 years. The GDPR should be seen as an opportunity to revisit these principles and implement appropriate controls in light of the increased use of technology in business.
In the event of data breach, the Information Commissioner’s Office (ICO) may choose to investigate the circumstances of the data breach. It is only at this point that the appropriateness of any given risk mitigation control will be assessed and judged.
All professionals recognise the need for Continuous Professional Development. By embarking on an education programme professionals will enhance their skill and in turn strengthen their business. The same principle applies to GDPR. If an organisation has in place a system of continuous review and improvement then the principles of GDPR will continue to be respected.
As technology and business processes evolve so to do the associated risks. By having a privacy by design and a cyber aware culture an organisation will be in a strong position to adhere to the GDPR principles.
GDPR hub: icaew.com/gdpr