GDPR: What is a defensible position?

In a benchmarking survey conducted by Deloitte, looking at businesses across the EMEA, it was discovered that only 15 per cent of organisations expected to be fully GDPR compliant come 25 May, with a 62 per cent opting for a legally defensible position.

While the enforcing bodies of the new regulations would prefer everyone to be compliant, for many businesses (large and small), a defensible position may be the next best thing, for now.

What is a legally defensible position?

A legally defensible position means that on 25 May you are able to prove to the enforcing bodies that you are carrying out every claimed process, and what you’re doing can be measured, monitored and quantified.

With regards to data breaches, a defensible position means that you admittedly won’t be able to stop one (necessarily), but you are in a position to mitigate the possible fall out and widespread implications of leaked user data.

Creating a legally defensible position

When creating a defensible position, you need to look at every aspect of your business from both customer facing and internal facing web portals, alongside other offline processes. You need to assess what data you hold, where that data is stored, who has access to that data, and how it is used.

It’s also important to establish whether or not you have a legal position, or explicit permission from the individual (or data subject as referred to in the legislation) to store that data, and how that data can be used.

If you can’t answer the above points both simply and quickly, your defensible position is already in doubt.

One thing that GDPR has already done is prove that lot of businesses don’t wholly realise how much data they control, and the different processes in how data is handled.

Modern tools, processes, and frameworks are enabling businesses to move beyond antiquated methods still being employed, allowing the “single lens view” that’s required for a defensible position.

This also enables businesses to remove the guessing, and know precisely how data is being managed, and where anomalies and exceptions can, and do, occur.

Achieving a defensible position

A key aspect of a defensible position is the ability to demonstrate consistent data management and protection across the business.

Some of the essential steps towards achieving a defensible position include:

  • Ensuring that those responsible within the organisation for monitoring compliance have a “single lens view” of the entire organisation, its processes and its activities.
  • Continuously monitor online and offline processes, data storage areas, and customer facing environments, such as physical shop floors and websites.
  • Use the regulations as an enabler and combine processes were possible across existing data management obligations.
  • Create a cycle of continuous assessment and improvement, and with new ventures work towards achieving privacy by design.

Technological advancements will also play a role in allowing businesses to take a credible, defensible position, and will enable the new wave of DPOs, ISOs, DPOs, and CCOs, to industrialise and automate key monitoring compliance processes.

While there are a number of methods to automate offline solutions, there have been a variety of technological advancements that range from the affordable for SMEs, to larger more comprehensive tools for enterprise level organisations.

When choosing solutions for online compliance, there are features that can help compliance stakeholders both achieve a defensible position, as well as full compliance, and these include:

  • Automation of core activities (such as routine vulnerability scanning of a web application).
  • Continuous monitoring and alert triggers (to replace time consuming and unreliable spot-check testing and manual auditing).
  • On-demand status reporting and comprehensive audit trails.

The UK governing body, ICO, expects organisations to assess the technologies available and make choices based on their business needs — whereas the Irish enforcing body expects larger organisations to invest more in technologies than smaller.

Is a defensible position right?

It’s important to remember that a defensible position isn’t a long-term solution, as you will need to show progression against the milestones towards full compliance, and as previously mentioned, a defensible position won’t prevent a data breach.
If you are late to the game, a defensible position will be your best alternative if you cannot achieve compliance by May 25th.

Our advice would be to immediately create a list of all your data handling processes, and where all data is stored (online and offline), and start to put in-place a compliance roadmap, taking into account “quick wins” for both online and offline, and accepting that some immediate implementations may be restrictive on current business practices – such as who has access to certain data pieces.