They Are Asking For What?

In the preparation for GDPR and the UK refresh of the Data Protection Act it seems that some organisations, especially government departments and public bodies are asking some very awkward questions.

• Assurances, pledges, loyalty oaths that an organisation is 'GDPR' ready.
• Copies of the organisation's policies and procedures relating to GDPR
• Claiming a right of audit 
• Contractually requiring agreement and proof of deletion, 'forgetting' and, or returning of data.
• Contractual requirements which duplicate or place the burden of handling personal data provided to the organisation, by the contracting party.

There are probably others going the rounds as well. Prefacing what I'm going to say with IANAL (I am not a lawyer) it makes sense to apply some rationality to this and maintain the proper borders between organisations. In general I do not believe that anyone has to promise to any one else, including the Government that they are going to obey the law. Extra contractual conditions won't provide any kind of indemnity to either party, remember that organisations that supply data have a duty of care to both the owners of the data (individuals), and whoever they share it with, that they indeed have the necessary permissions. There could potentially be a lot of 'indemnities' swapped around. But of course they mean nothing.

The same really holds true on being asked for copies of policies, procedures or even implementations. This isn't new behaviour there are some companies that seem to love forcing their own procedures down suppliers or even customer's throats. Being asked for the details of ISO 27001, the procedures for generating, holding and rotating keys and so on. Each one of these requests can be managed with a blanket 'We maintain and regularly review our policies in this and other areas in the light of Best practice and Regulatory conditions applicable at the time, this includes any legal requirements. The specifics of our policies, procedures and implementations are naturally commercially sensitive and are not to be shared.".

This is especially true over a right of audit. Unless the specifics of handling data can be entirely separated by supplier or third party it would be very difficult to allow third party audit without also exposing other data to which they had no reasonable access.