<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

The Six Commandments of the GDPR

Topics: Data Loss Prevention, Regulation, GDPR, General Data Protection Regulation

Posted: 29 August 2017

Six Commandments GDPR

Otherwise known as the measuring stick by which your some of your GDPR compliance will be assessed, the six core principles of the GDPR are the basic foundations upon which the regulation was constructed. Unquestionable and pure in nature, they are somewhat rarely acknowledged for one simple reason; five of the six have no real application in helping to peddling products and solutions.

Thou Shalt GDPR

Buried in the 88 pages of the GDPR under chapter two article five, the biblical-styled principles are set out in a far less dramatic fashion than they possibly deserve.

1. Personal information shall be processed lawfully, fairly and in a transparent manner - Jargon deciphered, principle one specifically nods toward the concept of clear consent. In any situation where personal information is collected, it should have the demonstrable consent of the data subject. Opt-in tick boxes are still permitted but the regulation explicitly prohibits consent by non-action or opt-out boxes. The death of those confusing subscription choices at the bottom of forms is on the horizon.

2. Personal information shall be collected for specified, explicit and legitimate purposes – Where personal information is collected, it must be communicated to the data subject what the purpose for its collection is and the subsequent processing. Organisations will need to become much clearer with data subjects about what their personal information will be used for.

3. Personal information shall be adequate, relevant and limited to what is necessary – When collecting personal information, the data controller must only collect personal information which is absolutely mandatory for the specified purpose. For example, if personal information is collected to send me a magazine subscription, there is no requirement for my date of birth.

4. Personal information shall be accurate and, where necessary, kept up to date – It is now the obligation of the data controller to ensure, to the best of their abilities, that the information collected is correct. This may seem difficult and even trivial, however what the regulation is trying to address, are situations whereby processing incorrect personal information may cause distress or harm to data subjects.

5. Personal information shall be retained only for as long as necessary – Marketing teams wince at this principle as though it is the sourest grapes on the vine. All personal information must now have an expiration date applied, appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.

6. Personal information shall be processed in an appropriate manner to maintain security – The principle which has attracted much focus requires data controllers and processors to ensure their systems maintain the confidentiality, integrity and availability of data processing systems.

21st Century Snake Oil

The GDPR was designed to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that in most cases organisational controls provide sufficient protection. For example, the modification of existing online web-forms, creating a policy for the deletion of expired personal information or privilege access management to ensure the confidentiality and integrity of processing systems.

Focussing on just one principle by way of seeking to sell solutions does an injustice to the purpose and spirit of the regulation as a whole.

The GDPR is not really supposed to create a feeding-frenzy of solution purchases, nor is it there to induce stress through budget-busting administrative fines if you don’t buy solutions. The six core principles show us that it's simply to ensure that the personal information and attributes of people (like you and I) are given the care and protection they deserve and we expect.

Albert Einstein once said “Any Fool Can Know, the Point is to Understand”, so put your wallet away, it’s probably not required.

Data Protection GDPR for Life

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts