(ISC)2 EMEA Advisory Council GDPR Task Force Highlights Concerns
As the May 25th GDPR compliance deadline approaches (ISC)2 members continue to share implementation challenges within our EMEA Advisory Council’s GDPR Task Force monthly conference calls. This month’s discussion covered some grey areas and concerns for which there appears to be little current guidance. I thought I would share some of them here to see if we can add to the discussion.
1/ Control and data aggregation
Where two parties jointly determine the purposes and means of data processing, they are considered to be ‘joint controllers’ and must negotiate transparency and robustly agree their respective responsibilities. In an online world where a spiralling number of applications aggregate data from third-party sources, including social media, it remains unclear as to who owns and is responsible for the processed data.
2/Balance of Power in online Marketplaces
An unequal balance of power leaves smaller firms at the mercy of the security and privacy policies of the bigger corporates and social networks. Not all big companies are expected to make the deadline, and the smaller partners that rely on them will still be responsible.
3/ Blockchain gets in the way of Data Subject Rights
Blockchain is being seen to undermine the principles of transparency and accountability in GDPR. The digital signature on blockchain transactions marks them out as ‘personally-identifiable’ data. Blockchain is designed to be permanent so the right of rectification and erasure becomes impossible, while the anonymous nature of these transactions makes the right of access difficult to fulfil.
4/ The proliferation of GDPR compliance tools
Many companies, under time and resource pressure may be tempted to over rely on a highly-active free market in tools to automate their process of compliance. Many vendors are emerging in an as-yet immature market, which has produced little independent quality control or oversi,ght to verify commercial claims. Concern remains that ultimately, many of these tools offer only a partial solution and too many companies may not recognise that they do not replace the diligent and painstaking overhaul of processes and policies needed for genuine compliance.