Can the GDPR be circumvented?

The GDPR regulation, which will come into force on 25 May 2018, is very strict and threatens astronomical penalties. There are at least two approaches to dealing with it. Either be a responsible data controller or choose a risk-based approach

The GDPR regulation, which will come into force on 25 May 2018, is very strict and threatens astronomical sanctions. There are at least two approaches to dealing with it. Either you will be a responsible data controller or you will choose a risk-based approach. Either you will address all the details of the regulation in detail, thereby eliminating the risk of failure, or you will accept a certain level of risk and choose the risk-based path based on the nature of the personal data you process.

The principle of controller liability
In applying this principle, the controller of personal data is fully responsible for compliance with the principles for processing personal data. He or she must comply with all obligations and be able to demonstrate compliance.

Data in relation to the data subject must beprocessed in a lawful manner. That is, ttransparently, it must be collected for explicitly stated and legitimate purposes.Personal data must be processed in such a way as to ensure its security, including protection against damage or loss. Controllers who choose this route must have all processes documented and defined, for example, in internal codes or regulations.

Risk Principle
Data controllers need to take into account the risks that the potential loss or misuse of data will potentially bring to the rights and freedoms of the individuals to whom the data belongs. In layman's terms, there will be different consequences if unauthorised individuals get hold of your customer list of first names or online banking login details. Data controllers therefore need to consider the nature, categorisation and scope of the data being processed and its impact on the rights and freedoms of individuals in the event of loss or misuse. Data controllers also need to tailor the security of personal data accordingly. If they are processing data that will not put its owners at risk if leaked, the security parameters and technologies may be simpler than if they are processing sensitive data with a high level of impact on the data owners.

There are several categories of personal data that may be more affected. Special categories of personal data will always carry a higher risk. Special categories of personal data include, for example, health data or login data. In the event of a security breach, the assessment will be whether the breach was negligent or intentional.

Data Protection Impact Assessment
Where the processing of personal data could potentially pose a high risk, data controllers will be required to carry out a data protection impact assessment prior to the commencement of the processing, it is required to consult with the Data Protection Officer, if the subject has one. If the assessment shows that the processing of personal data would result in a high risk, in the event that data security is lost or harvested, the data controller must contact the Data Protection Authority to correct the risk.

Data controllers need to be aware of the data they are handling and how valuable the personal data is, or the risks of data loss or misuse. The GDPR cannot be circumvented, but simpler measures can be chosen, depending on the risk of the data being processed.

How are you? What categories of personal data do you process? If you are unsure, please contact us for advice.