When people ask Data Protection questions, I’ve come to realise that they’re hoping for a nice simple yes/no answer. That’s why they so often phrase their question, ‘But is it okay if we just…’
And yet they so rarely get a nice simple yes or no answer. Instead, if they talk to me, we begin with a few questions:
- What is the thing you are doing?
- Why are you doing it?
- What’s the outcome of not doing the thing?
And they need to explain to me, a person who doesn’t have ten years’ experience in their particular field of expertise, what they are doing and why they are doing it. This is often annoying for them. Sometimes for me too. We need to break down ‘the what and the why’ until I have a nice, simple dummy’s guide to what’s going on. I’m the dummy in this conversation. I keep asking ‘why’ until I could explain the purpose of the data processing to, well, anyone.
What are you doing and why are you doing it? This is a key part of the GDPR. Your company needs to be able to explain to people – nice, normal people who don’t have ten years’ experience in the exact expertise under discussion – what is being done with their data. And why.
Why we’re planning to do this thing can be super-helpful – but we’re not always great at having a nice clear reason for why we do things. (“Why? What do you mean why? We’re doing it because our director wants us to and we’ve already started the project and this is all budgeted for this financial year and this is just the way the system comes out of the box and we don’t have funding for changes!!”) This is why I try the sanity check of ‘what happens if we don’t do the thing.’ (It doesn’t always help. If the answer is ‘I’ll get into trouble with my manager’ then we aren’t quite having the right conversation yet.
If we can understand the why of the activity, it gives us our best clue about how to define ‘our legal reason for doing the thing.’ (Aka, in GDPR-speak ‘our lawful reasons for processing’, including everyone’s favourite plain English term ‘legitimate interests.’)
There is still so much confusion about this. Everyone went batshit-GDPR-crazy about consent in 2018 (yep, that’s the technical privacy term) and everyone in Data Protection world (which had suddenly expanded to include several million panicked people) had conversations like this:
Business lead: BUT WHAT IF THE PEOPLE DON’T CONSENT TO THE THING
DP lead: Do we actually need consent for this thing? What’s the outcome of not doing the thing?
Business lead: THE GOVERNMENT WILL CLOSE US DOWN OR FINE US BECAUSE WE HAVE TO DO THE THING
DP lead: Okay then. In that case, you aren’t really looking for people’s consent. You just need to make sure they’re aware that we have to do this legally mandated thing. That means we’ll put it in our privacy notice.
Business lead: BUT CONSENT
DP lead: Bring me the tequila.
*
People of the GDPR lands, before you go to your Data Protection leads with your newest and most awesome idea (“to get them to sign it off”) make sure you can explain to anyone, to everyone, to a semi-interested seven-year-old, to an antagonistic customer, and yes, to your weary Data Protection lead, WHAT YOU ARE DOING AN WHY YOU ARE DOING IT.
And Data Protection people, if you’re struggling with ROPA or with risk assessments, this is one lever that can make things easier. It’s something you can provide good examples of. It’s something you don’t need ‘data protection experts’ for. It’s something you can and should easily train your key business leads to do.
Privacy Problems 