Once again, about how the legal approach to GDPR ‘compliance’ did not work quite as intended.
How long until this is rightfully concluded to be the wrong way per se for the subject ..? For any subject ..?
Yes, some branch of the Big 3½ (them again) had used a wrong grounds for processing, and was subsequently fined for this.
Probably, there had been a lot of discussion, with regulators (DPA). Maybe also about all sorts of other things where there wasn’t anything outright illegal but concrete blocks of bureaucracy were put in the path of effectiveness and efficiency.
But certainly (it seems ..?) the legal staff had overblown their understanding of the subject by:
- Over-eagerly beavering through all ‘requirements’;
- As if all of them were new, and needed to be taken worst-case. This, a legal bookworm specialty. Not understanding almost anything of the real world, overshooting with the wrong checkbox approaches;
- Thus misreading not only the GDPR articles, but the introductory notes as well;
- And forgetting to see that legal definitions may be very far off normal business. E.g., Article 30 Record of processing activities [dunce’ly translated in Dutch into a ‘register’ of the same, no less…] is all too often taken by legal beavers to mean some sort of separate ‘system’ of record. Whereas any decent [wanted to write ‘half-‘ but that’s not good enough anyway] IT architecture should include a data architecture and when you add a few columns with privacy-sensitivity et al. there is nothing more you’d need;
- Hence introducing all sorts of new ‘requirements’ that would have been part of any minimally normal business operations. E.g., ‘appropriate technical and organisational measures’ – you do NOT want to do that for ‘privacy’ alone or the measures are by definition not be appropriate. And any org worth their salt has all those appropriate stuff in place already. Yes, a great many organisations didn’t, don’t, but you see, there’s your biggest problem: the organisation has no clue, now only the ‘about privacy protection’ is added. Note that the article 32 involved, has pseudonymisation and encryption as a solution. Whereas all in infosec that take their trade serious, already knew about this counterfact only the EU legalites didn’t have sufficient clue about the subject they were legislating.
- Trying to slam all businesses with expensive and ineffective form-over-substance procedural justice tools. Shame on you, to try to sell to the innocent fearful – made so by your ab auctoritate shout-outs; that’s parasitic;
The result: Fines. For doing the wrong thing. Hopefully (sic) we’ll hear a lot more of these kind of cases and fines, to in the end subdue the legalites [yes comparable to Luddites], and leave information business to information business experienced staff again. Hopefully. Since a lot of regulator staff and executives (often, the higher one gets, the more airheadic ones one sees) belong to the previous category, hindering actual privacy.
OK for now. This:
[London Winter Wonderland, the same circus as your legal office (internal, external) ..?]