Whenever I visit a clinic for a health
check, I’m asked a slightly different set of questions. Each clinic is very
professionally run, and, until recently I haven’t been unduly concerned that
the same questions aren’t always asked. I’ve generally been healthy, so I guess
there was never any real need for the medical profession to probe too deeply.
So, why should I be worried about different
questions being asked about data protection? How deeply should professionals
probe into the 'data protection' health of an organisation?
The question arose because I’ve recently
had an opportunity to compare my methods with those practiced by a chum in
Austria. When I’m asked to probe an organisation, I review it through the lens
of some 45 controls. When my Austrian chum probes, he uses a similar
number – for starters – but might then extend his examination to cover some 200 controls – each of which can be specifically linked to GDPR requirements.
And these are just GDPR controls. He told me that, in Austria, some projects necessitated the use of a
further 30 or so controls, to reflect specific aspects of Austrian data protection legislation.
So, he was happy that the GDPR might
involve him dropping up to 30 redundant controls. But, what might my
clients might say if I slipped into the next conversation that what I needed to
do was focus not just on my initial 45 controls, but an additional 155. How would that go
down, I wondered.
Tell me, fellow data protection professionals, how
many controls are sufficient for an organisation to rely on? Should it simply rely on the controls that the
ICO uses in its “Getting Ready for the GDPR” checklist?
Or should it introduce more? – and if so,
just how many more?
The answer, obviously, depends on the
extent to which the organisation’s processing is likely to harm individuals,
and in particular how much harm could be caused to how many individuals.
So, organisations need to take a risk-based
approach to developing appropriate data protection controls.
My Austrian chum might well have been right all
along - perhaps there are a significant
number of organisations that need his “full fat” suite of over 200 controls.
And perhaps I have been misleading clients into believing that my set of 45 was sufficient.
I won't know whether I have been misleading anyone until a data
breach has occurred and the ICO’s enforcement team has decided that an aggravating
factor in the case was the organisations decision to rely just on my initial
suite of 45 controls.
So, I’m praying on my initial hunch that my ‘suite
of 45’ will be sufficient to prevent a reportable breach for which the inadequacy of my control set was partly responsible.
Wish me luck.
Posts
