GDPR in a nutshell
GDPR in a Nutshell
GDPR can be summed up in this one sentence - ask permission, respect the privacy of the subject, value and protect their data.
To illustrate this, if we can envisage personal data as something monetarily and emotionally valuable belonging to someone else that we would like to borrow for our use. For illustrative purposes, let's say this is an expensive sports car we are borrowing from our neighbour.
Seek permission to use
I have to first ask their permission. I can't just take it and drive away. It would be illegal, pee him off and he might call the police. Think of this as consent (as you don't have legitimate use such as a rental or lease agreement). Okay, so this is about Consent. A typical example of Legitimacy could be a garage taking the car to service it under your instructions. They will have legitimacy to drive the car to the garage and test drive it after the servicing is complete. This does not of course give them the legitimacy to do long journeys or use it for ferrying passengers.
Maintain trust
It does not mean I can off-road with it or give it to my mates to joy ride in it or even sell it off. Think of this fair and lawful processing, no abusing or sharing without consent.
Provide assurance
He will also want me to be transparent and let him know what I will be using his car for. Whether I will have any passengers and that I will look after it. This your privacy policy.
Protect it whilst in your possession
He will also expect me to park it in a safe place and lock the door so that it is not damaged or stolen. Think of this as security.
And if it did get stolen or damaged, he would expect to be informed a.s.a.p and would expect you to report it to the authorities. So that he is protected from the consequences. Think of this is breach notification.
Sure, he would expect me to keep it clean and ensure it is insured, MoT'd, taxed and roadworthy. Think of this as keeping the data up to date, accurate, complete etc.
Personal data is a loan or a gift
The data still belongs to the subject. It is not ours to use and abuse as we like. We must start thinking of it as something precious and a personal gift or a loan that we need to look after. In business terms, think of the data subject as the most important stakeholder here.
I must also be prepared to acquiesce to his request to modify my driving behaviour, not speed, off road, take part in a race or simply stop driving it and return the car when he asks for it. Think of this as the subject's rights under the GDPR.
Be accountable for your actions
And of course, if I do abuse it then I will have to pay for damages and may end up in prison if I really take the P. This is being accountable.
Be prepared to pay for misuse or abuse
If I did all the above to the best of his expectation, to a certain expected standard (e.g. GDPR) of due care and I can prove it to him, then even though there are some scratches or minor damages, he may not be too upset. And even if made a claim, there would be mitigating circumstances that would be taken into consideration if I'm penalised by the authorities.
A very simple analogy that I hope helps to convey the essence of what GDPR is. You wouldn't abuse your neighbour's car entrusted to you then why would you abuse someone's personal data?
This and other articles can be found at www.cybercounsel.co.uk
Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity practitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers
If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.
If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.
cybercounsel.co.uk/gdpr-masterclass
Copyright Cyber Counsel
NIce article. Ive read this before :-)
Global Head of Cybersecurity Operations - A Highly Experienced Cyber Security, Data Protection, (GDPR, UKDPA), and Privacy Professional Helping Organisations Become Resilient & Compliant
6yTim Clements that guy has ripped off my article or he thinks and writes like me.
Senior Specialist - Talent Acquisition @Indotronix Avani Group (UK/Europe)
6yi have a Job Opportunity ON EU GDPR Position in UK, if Any one interested kindly inbox me.
Global Head of Cybersecurity Operations - A Highly Experienced Cyber Security, Data Protection, (GDPR, UKDPA), and Privacy Professional Helping Organisations Become Resilient & Compliant
6yStuart Rance Building trust.
Biomedical Science
6yNice story telling and relating this to the car service industry. I would add you must be able to report what you have done with the car. So by collecting GPS information and providing it to the customer you can achieve this and as the Car becomes smarter it can also collect data on passengers and work completed.