I finished my engineering degree in computer science in 1999. It is probably fair to say that my personality is attracted to absolute truths. A lot of my colleagues have similar backgrounds and are equally attracted to quantifiable, structured, binary answers. Becoming a DPO, I am starting to realize that I might be driving some of them crazy.
What does this really have to do with GDPR? GDPR is a principle-based regulation, not a rule-based regulation. Adhering to a rule requires little interpretation or deliberation, for example keeping to a speed limit. Adhering to a principle requires you to have a deeper understanding of the context. The speed limit is actually just an interpretation of a principle; in traffic you have to be vigilant, careful and considerate. So imagine how some of my colleagues feel when they ask me a GDPR equivalent question of what the speed limit is, and I tell them to consider their surroundings and drive vigilantly.
A few examples:
“Is an internal ID personal data?” DPO: “It depends. Can it be used to directly or indirectly identify a natural person?”
“Are we allowed to process this piece of personal data?” DPO: “It depends. Is it required for the purpose of processing? It the processing lawful? Are we appropriately securing the processing?”
“Is this new functionality secure enough?” DPO: “It depends. Have you weighed it against the risk to the rights and freedoms of the natural person?”
(This is not to say that there will not be clearer “speed limits” related to GDPR. Over time, regulation, certifications and guidelines will be developed, making it easier to give binary answers.)
Obviously, this is not just a challenge for my colleagues, but for our customers as well. Our customers also have to assess what data they are allowed to process, what they should consider personal data, or if a system is secure enough for the purpose of the processing.
Perhaps the biggest challenge for many of our customers is data subject rights. GDPR strengthens the rights of data subjects, like the right to transparency, being forgotten, portability, etc. But here is the catch; these rights are fundamental but not absolute. The rights must be weighed against other lawful obligations and other fundamental rights. Many of our customers are in an area where other lawful obligations are abundant. Education laws, public servant laws, protection of minors, etc.
To illustrate the challenge in assessing data subjects’ rights, let’s take a real-world example. A parent contacts his daughter’s school and wants to exercise the right to access. He demands a copy of all personal data stored about his daughter on their LMS. Under GDPR this is a fundamental right. But the school has to weigh this against their obligations to education law (could some of the data harm the student’s right to education?), privacy laws (even minors have a partial right to privacy), confidentiality requirements as a public servant, etc.
So GDPR compliance, whether you build an LMS or run an educational institution, requires deliberation. There are few binary answers to compliance. But by understanding the principles and making thoughtful decisions, you are half-way there.
But in these grey-area decisions of GDPR compliance, who is to say if the right decision has been taken? Ultimately, if a dispute arises, this will come down to the supervising authorities. And I have a feeling it is a lot better to have made a wrong decision based on thoughtful analysis than on being ignorant. Supervising authorities do not think ignorance is bliss.