GDPR Ask Me Anything GDPR

View the original Working Session content

In this ‘Ask Me Anything’ session on the General Data Protection Regulation (GDPR), topics and questions from the audience were:

What steps are involved in handling a DSAR (Data Subject Access Request)?

  • Verification of subject/customer ID by the organisation handling the request
  • 28-day turnaround to verify records and email exactly what is needed
  • Offer as much subject/customer data as is available to the subject/customer for the given ID
  • No proof is required for meeting a request for deletion
  • Some legal advice has been to concentrate on the email address/ID in hand, noting that the same person may be known to the organisation through different emails, stored in different parts or databases.

How should anonymisation be handled?

  • Overall GDPR position is that if data has been cleansed, it can be kept
  • It is also important to be sure that everybody has the same understanding of what anonymisation means
  • Watch out for different use cases and edge cases. For example, booking data with flight number and airport could be equivalent to personal data if there was only person on that flight
  • If an IP address, possibly provided by an ISP, can be used to identify a person, it becomes personal data.

When does an organisation need a Data Privacy Officer (DPO)?

  • When it monitors a lot of people in a public space, for example, via CCTV
  • When processing special category data
  • If it is a public authority
  • Article 37 is a reference.

What could be worst-case scenarios for GDPR non-compliance?

  • Losing personal data twice. For example, one organisation was fined £225,000 for losing videos with sensitive information. The second time, it was fined £335,000 for losing videos again
  • Multiple levels of management knowing that the organisation is not compliant with GDPR, but not acting to correct the situation

GDPR as an opportunity

  • A good opportunity to take data more seriously and do better housekeeping. For example, stop keeping photos longer than X, if there is a consensus that there is no value in keeping them longer anyway.
  • Ask pertinent data questions linked to GDPR compliance:
    • Do we need to keep it?
    • Have we been taking care of ‘this’?
    • How have we been taking care of ‘this’, etc. This can improve security generally.
  • By clearing out data, a further benefit is that less storage is needed and costs are reduced
  • An opportunity to mature the way the business works.

Threat modelling as a way of identifying GDPR risks

  • Take data, connect the dots, see where it goes, which systems handle it, what the data journey is.
  • Threat modelling identifies the associated risk. GDPR is the legal obligation. Tie the two together.

Next steps on the GDPR journey

  • Privacy by design
  • Maturing processes and practices
  • Ongoing improvements of systems
  • Start looking at data retention
  • GDPR is not ‘done’, it is a continuing process


Session organiser(s)


Attached materials: