Organisations in Europe and beyond are gearing up to become GDPR compliant, but many are doing so begrudgingly when in fact the exercise should be looked at in a positive light. The GDPR provides organisations with an opportunity to develop a new philosophy about data governance. It’s a development that will protect your and my personal information from misuse and abuse.
Ownership to custodianshipFor organisations dealing with clients, employees and suppliers – known collectively as data subjects in GDPR-speak – it means a fundamental change in philosophy regarding the personal and sensitive information they hold about them.I like to think of the new regulation as data governance that gives organisations the opportunity to change from being owners – to custodians – of personal information.Precepts of the GDPRSome of the precepts of the GDPR philosophy are that:
- Data and personal information is a precious resource that needs to be taken care of rather than taken for granted.
- Personal and sensitive personal information belongs to the people whose information it is, not the holders of the information.
- Organisations can only use personal information with the permission of the people whose information it is.
- The granting of that permission is not a free for all, but for the purpose that an organisation’s privacy notice specifies.
- Personal information held by organisations must be disposed of when the legitimate purpose it was collected for has run its course.