GDPR – Principles vs Practices

I had the amazingly good fortune early in life to work under the philosophy of a man who passionately believed that it was better to teach the principle of a thing than to teach the practice of that thing although the latter was much easier to teach. Everyday I run into people who’s first response to a new situation is to ask about the rules. “What do I need to do?”

Learning the principle not only give us the ability to do the thing, but it gives us the foundation to do other things as they arise well because we have that kernel of understanding from which other “things” will grow. The GDPR is like this and, indeed, the ICO has stated that the overriding consideration is not how well we implement or follow the rules, but whether we are practicing privacy by design and achieving the goal of safeguarding data.

My favourite analogy to this is the electrical wiring in a house. Wiring a house is subject to endless rules about wire size, colours, joining methods, shielding, placement, and so on. If these precise rules are followed then it is likely the house will be safe from electrical faults. However, if one knows the principles, the house could be wired in a bewildering manner of ways and still be safe — because the electrician understands the principles of their task. In fact, the wiring codes in the UK are dramatically different from those in the US — working in the US with the rules of those in the UK will deliver a nasty shock. Understanding the principles should make one safe in either place.

Applying this concept to the GDPR is relatively simple for a psychologist, who is already well versed in the concept of privacy. The GDPR was created mainly to counter the abuse of personal data by businesses, both large and small. Data abuse by professionals such as psychologists occurs due to carelessness, ignorance, or malice, but seldom out of greed. A psychologist may forget that the window to their office is open and that conversation carries quite a distance. A psychologist may not think about their mobile phone not having a password — it’s such a hassle to make a call with one — until the phone is lost or stolen and suddenly someone else has access to passwords, contact details, synchronised notes, online storage and so forth.

One principle in handling sensitive data many years ago was a simple card, red on one side and green on the other, labelled “OPEN” and “CLOSED”, kept in the top handle of filing cabinets. If red showed anywhere in the room, then a person had to be there, in control of the data. Further, that person had to be cleared to be there. Entering a room with red showing and nobody present was a breach that had to be reported and dealt with to ensure no data was missing.

This remains one of the best principles today, even in the world digital high tech. Ask yourself:

  • Am I in full control of the data I am holding?
  • If not, is this data secure from compromise by other people?
  • Do I need to have this data in the first place?
  • If so, am I prepared to accept full responsibility and the consequences for breach?
  • When I go get a cup of coffee, when I get out of the car, when I walk out the door, have I secured all the data am I holding?
  • Am I proactive in keeping data secure and away from the grasp of others?

In twenty years of being a DPO, I have found that this covers at least 80% of our responsibilities for data protection. The rest involves compliance, very reasonable compliance, to inform the data subject about how data will be used, how to gain access to it, and providing it to the subject if they request it. I find it useful to be generally familiar with the rules, intimate with the principles, and when something comes up like “how long do I have to respond to a request?” to refer to the rules, which will tell me that I must respond as quickly as possible and within a month (down from 40 days previously.)

In preparing to adopt the GDPR ask yourself the following questions:

  • What data am I holding? Contact records, email addresses, medical records, notes from sessions, emails, names of relatives, children, employers, etc.
  • Where am I holding this data? On my phone, computer, tablet, filing cabinet, notebook, USB stick, external drive, kitchen table, attache case or satchel, car, etc.
  • How am I securing this data? Locked cabinets, encrypted devices, aggressive passwords (and where am I keeping the passwords?), etc.
  • Do I need to be holding this data? Reducing the data held, minimising the locations where it is kept, and destroying it reduces the risk of a compromise.
  • What do I use this data for? If it serves no purpose then it should be deleted.
  • Who am I trusting to handle this data? Twitter? Facebook? Dropbox? OneNote? Evernote? Do they value my information as much as I do or is my data their product?

When we become bound by rules and blind obedience to those rules we become pedantic and obsessed with semantics, often forgetting the goal those rules were intended to guide us toward. The rules of a game, such as football, do not gain us a goal. We still have to remember that the goal is the purpose in the first place.

So, referring to my featured image, I encourage you to be proactive and employ your own good ideas based on your own understanding about data security.

“Good ideas are not adopted automatically. They must be driven into practice with courageous impatience.”