Organisations in Europe and beyond are gearing up to become GDPR compliant, but many are doing so begrudgingly when in fact the exercise should be looked at in a positive light. The GDPR provides organisations with an opportunity to develop a new philosophy about data governance. It’s a development that will protect your and my personal information from misuse and abuse.
Ownership to custodianshipFor organisations dealing with clients, employees and suppliers – known collectively as data subjects in GDPR-speak – it means a fundamental change in philosophy regarding the personal and sensitive information they hold about them. I like to think of the new regulation as data governance that gives organisations the opportunity to change from being owners – to custodians – of personal information. Precepts of the GDPR Some of the precepts of the GDPR philosophy are that:
- Data and personal information is a precious resource that needs to be taken care of rather than taken for granted.
- Personal and sensitive personal information belongs to the people whose information it is, not the holders of the information.
- Organisations can only use personal information with the permission of the people whose information it is.
- The granting of that permission is not a free for all, but for the purpose that an organisation’s privacy notice specifies.
- Personal information held by organisations must be disposed of when the legitimate purpose it was collected for has run its course.