One of the more misunderstood aspects of GDPR has to be how companies can process personal data. This is covered in Article 6 of the regulation and even though there are 6 different scenarios allowing for the legal processing of personal data, the only one we are asked about on a regular basis is “Consent”. There is some justification for this given it is likely the most likely means for legal processing for most companies and the most transparent. That does not mean we should ignore or forget the rest. To give a bit of clarity and shed light on all 6 ways to legally process data we provide the following. It is each of the 6 justifications, a further description and an example of when that justification might be used.
My GDPR journey
When I first began my professional GDPR journey in 2014, I was working as an in-house B2B marketer. At that time, I began researching the draft legislation and was trying to figure out how it might later impact my everyday work in the marketing department. Of course, I was also doing it so I could advise the senior management team on what the expected changing legal responsibilities would be. Furthermore, it occurred to me that a data breach and any negative attention from it could undo months and years of hard work I’d put in to build the company’s brand and reputation. It was then that I suddenly felt a greater weight of responsibility and duty of care for the personal data I was tasked with handling.
TSB have had a disaster to deal with. Lots of press coverage and all for the wrong reasons. A major IT change that resulted in days of customer chaos. Disruption that lasted for over a week.
IT infrastructures are increasingly complicated, particularly in the large Banks, but I think it is irresponsible of people to say they are held together with sticking plaster. However, the complexity does mean that implementing change requires strong discipline and management.
Here are some points to consider.