Léon Atkins, CEO of Obséy International presented yesterday at the UK’s ExecLN GDPR Conference
Can a parallel between GDPR and Health & Safety be drawn? Léon Atkins challenged the audience to reflect on how the drive towards safety in the workplace, which started in earnest in the 1970’s, could be used as a template for the continued and long-term effect that GDPR might have on the future of data protection and privacy, which Léon predicts will quickly move from the “what”, to the “how”, to the “just do”.
Léon identified that a GDPR management framework, like a Health & Safety framework, needed to address three basic steps: identify the risk; if possible remove the risk; and at the very least, effectively manage reduction of the risk.
In identifying the risk, Leon said it was critical to get GDPR on the organisation’s risk register and in the domain of the Board:
“The Board has to demonstrate to the stakeholders of the business, including its employees, that GDPR compliance should be taken seriously. This has to be reflected in its commitment to supporting GDPR led action, and making adequate resources available to deal with the risk.”
Léon went on to say that data minimisation was critical: “”do we really need to collect and process this data?” is a great question to ask. If the answer is no, then stop the processing.”
The virtues of adopting a straightforward compliance framework underpinned by the 3 “P”s – people, policies and processes – was explored in depth, with parallels drawn to how these are successfully used in Health & Safety frameworks.
Léon concluded by reiterating that this all needs to be supported by effective monitoring, auditing and reporting back to the Board:
“If the Board knows what is going on, they can effectively engage with the risk and lend their support where needed.”2