GDPR compliant products debunked: it’s all about HOW you use it
Thursday September 26th, 2019 by Silvan Jongerius
Thursday September 26th, 2019 by Silvan Jongerius
I’ve seen this a bit too often lately: products that qualify themselves as ‘GDPR compliant’, falsely leaving the impression that by using that product, an organisation will be GDPR compliant. In particular some blockchain products like to label themselves as ‘GDPR compliant blockchain’ – as in the public opinion there are massive problems surrounding blockchain and GDPR. Welcome to GDPR compliant products debunked.
Whether it’s about a blockchain, a CRM or cloud storage, this is plain and simple wrong. In the case of blockchain, sure, you may have solved a particular compliance issue, but that doesn’t make your blockchain ‘fully GDPR compliant’.
You will need the right tools to become GDPR compliant, but tools alone will not fix your problems. It’s always about how you use them.
Your cloud storage provider may be fine for storing an email address and a name, but will hardly ever be able to help you meet the stringent requirements surrounding ‘Special Categories of Personal Data’ (Art. 9, GDPR), such as biometrical, medical or genetical data.
Every data processor you add to your list, will increase your compliance risk, as you are (under most circumstances) primarily responsible for the protection of the Personal Data you are entrusted with. Moreover, you can not trust that your processors are doing what they claim they are doing, you have the obligation to ensure it yourself (even though in practice this is hardly ever done).
There are tons of tools for GDPR out there, ranging from pimped project management tools giving you a list of tasks to complete to ‘become GDPR compliant’, to sophisticated Data Protection Management Systems. All these systems can help you with compliance, but are not going to achieve it for you. You will still need drive the process, ensure the right information is in there, the right organisational processes are in place, and essentially build a deep understanding of your data-flows and take responsibility for your compliance.
In addition, you will probably be using these tools to also store some kind of personal data. Possibly of your staff that will be using it, or of those people submitting a subject request, or otherwise. So you are potentially increasing your risk profile with these tools as well.
No you can’t, but you can ensure that the product you are building can be used in a GDPR compliant way by following the following 7 key points:
“It’s all about how you process data, the tools you use is just a part of that.”
The GDPR does have a provision for certification mechanisms under Article 40 that could help demonstrate compliance, but to date there are no approved certifications a company can apply for. While the market seems to like the rubber stamp approach, the requirements of such a seal or certificate will likely be a lot higher than just taking basic steps towards GDPR compliance as suggested above. Also, it’s unlikely such certifications will ever apply to a product or service.
A process can be GDPR compliant. A product can’t be ‘GDPR compliant’ by itself, independent of it’s use or the process it aids.
Tags: Debunked, GDPR Compliance
TechGDPR can help with GDPR compliance, especially for
Contact us to find out how.