What now seems an age ago, there was a TV series called West Wing telling the story of President Bartlett and his White House staff who were capable of wisdom, bravery, some pretty good one-liners and glam frocks, who were on a quest for human aspiration, despite frequently revealing themselves as flawed human beings.
In the episode ‘A Proportional Response’ President Bartlett is battling the desire to order retribution on a vast and violent scale following a Syrian attack on a US helicopter which killed several Americans, including a young, new, father Bartlett had befriended. But, instead, the President is talked down by his Chief of Staff, Leo McGarry, to taking a response that is proportional to the situation, rather than smiting the earth in fury.
A response in Leo’s words, ‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’
And so what is the relevance of a ‘proportional response’ to GDPR compliance? To align with GDPR an organisation needs to strike the right balance between over-reacting and, yet, still addressing what needs to change.
After all the pre-25 May GDPR hype and headlines, and the deluge of consent emails flooding our inboxes, followed by…well…not a lot, really. It almost feels like we are still waiting for ‘it’ to happen. Or that ‘it’ will never happen. That it was all just hype; yet another Y2K fizzer.
The very tempting ‘proportional response’ to this is to do exactly nothing. To pat ourselves on the back that we weren’t taken in by all the dark threats and headlines, and to go on our merry way, scattering personal data about like confetti at a wedding.
But don’t be fooled.
The ICO has been busy. The penalties to date are mostly still under the previous legislation. The investigative process takes time – and it’s only been five months.
Whatever ICO decisions are downstream, what matters for organisations about data protection is what has always mattered. It’s an opportunity to do business better by aligning with the new regulations. That’s what a ‘proportional response’ is; one that makes sound business sense in the long term. It’s not just about fearing the goblins that live in dark data, or of the avenging angels.
Taking a ‘proportional response’ to your data protection is about gaining positive outcomes along the way to compliance. Organisations will eventually save money they didn’t even realise they were wasting. They will gain insight from joining up data that they never knew they had. And should the worst case happen, they will be in the most resilient position possible to be able to handle such an event.
A proportional response requires you to understand what your risk profile is in terms of the personal data you control and process. You need to know what personal data you have, where it is and what could possibly go wrong? What data and systems should you be focusing your effort on?
Once you have that knowledge, you can make it difficult for your employees to do the wrong thing and easy for them to do the right thing, because the systems in place support that outcome. You can take every reasonable measure to protect what needs to be protected, from deliberate attack and from somebody just doing something dumb.
‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’ To your organisation, to your bottom line, and to the data subjects who are your customers and your employees.