With one month to go before the deadline for compliance with EU’s General Data Protection Regulation, organisations should ensure they are able to meet minimum requirements to defend against adverse scrutiny
Organisations should ensure that they have identified the scenarios that are most important to them and that have they understood what needs to be done to deliver the desired outcomes of their programmes aimed at achieving compliance with the EU’s General Data Protection Regulation (GDPR), according to Stewart Room, data protection lead at PwC in the UK and globally.
“That is what the GDPR will be about in the live environment. So, when programmes are tested by unhappy employees, unhappy consumers, privacy advocates, the media, regulators and so on, they are going to test against outcomes, such as delivering a greater degree of confidence in the mind of the citizen that an organisation is being open and transparent,” he told Computer Weekly.
However, Room warned that potential problems could arise because personal experience has shown that testing of outcomes is “not a natural, instinctual” part of this work, with organisations tending to test and measure “outputs” of the various elements of their GDPR programmes, such as the publication of privacy notices, rather than the “outcomes” they are trying to achieve, such as increased trust and confidence.
According to Room, organisations should be considering if they understand what their first line of defence would be and asking themselves if they are confident that they have understood the nature of the minimum viable product (MVP).
“Because if an organisation does not have a minimum viable product as a first line of defence against adversity – whether that is a data breach or a customer wanting marketing opt-outs – the business is arguably ‘naked’ from that moment on,” said Room.
In the context of adverse scrutiny, he said “defence” is about knowing what that scrutiny will look like and putting in place things to deal with it.
“The minimum viable product is the thing that gives us the best line of defence against adverse scrutiny, which should be the ‘outcome’ of any GDPR compliance programme.”
To measure the ‘outcome’ of any programme, Room said organisations need to have a methodology, such as the one developed by PwC, so that organisations can be confident that all the outputs “knit together” in a way that successfully delivers the desired outcome.
Chain of activity
“You have to start with a scenario. You then identify the front line of that scenario, and then you work backwards though all the links in the chain. And then you need to look at the scenario and identify the tasks and dependencies that will deliver on each link of the chain, and then you can start measuring them.
“You look at the scenario as a chain of activity and ask what you have got on each link and how these need to be improved, thereby identifying what needs to be measured,” he said, citing as an example a disgruntled customer contacting a company call centre because of spam emails.
In calling to object or complain, he said the customer is making an oral rights request, setting the clock ticking for the organisation to ensure there is no more spam marketing.
The links in the chain, therefore, are going to include how the company recognises that the call was a rights request, how the recipient of the rights request knows what must follow, and how does the technology layer trigger the steps in the chain that would be required to deliver the required outcome.
“With just 30 days to go to the compliance deadline of 25 May 2018, organisations should be focused on the minimum viable product that they should be delivering in a month’s time to achieve the necessary outcomes”
Stewart Room, PwC
“In terms of an outcome, the organisation concerned would need to know that the recipient of the call would understand what it was, that they would make the appropriate entry into the customer database, and that the database is connected into the suppression engine in the CRM [customer relationship management] system.
“And then you would want to know that there was some kind of deduplication technology to ensure that all instances of the customer in the database will be modified to reflect the customer’s request not to receive unsolicited marketing,” he said.
In terms of associated tasks in the programme that could be measured in respect of the call centre operator being able to recognise that the caller was making an oral rights request and take the appropriate action, for example, would be rights request awareness and database training, Room added.
“But getting confidence that the database exists is not about training, but about an element that the IT department has to deliver, and in this way organisations can pull elements or tasks from different work streams and reconfigure them into a journey that delivers the outcome.
“In this example, I took a task from the training work stream, an IT database design task from the technology work stream, a task from the third-party risk work stream because the CRM is outsourced to a cloud-based supplier, and I took a task from the assurance work stream that tests and confirms that all instances of the customer have been modified to block unsolicited email marketing.
“The result of this reconfiguration is that the tasks have been identified and I am now able to measure whether the tasks are capable of being performed successfully, enabling the organisation to walk through a live environment test,” he said.
Data protection goes beyond GDPR
While the focus in the UK economy is on GDPR, Room said it should not be forgotten that new data protection legislation is making its way through the UK parliament that is fairly closely aligned to the GDPR. “Very soon, UK organisations will have to comply with the Data Protection Act 2018,” he said.
“We will soon be talking about the DPA, but referring to the legislation that replaces the Data Protection Act of 1988, and there are some interesting issues around that, including the exemptions regime that needs to be looked at, the extension of the GDPR into the intelligence services, and the sections enacting the EU Police Directive.”
However, Room said the new UK data protection legislation “pretty much maps” well to the GDPR. “This means the practical implications are probably not going to be massive,” he said.
Turning to the departure of the UK from the EU, Room said businesses operating in the UK should not be afraid of life after Brexit as far as data protection is concerned.
Commenting specifically on concerns raised by privacy organisations around the potential conflict of UK provisions around data collection by law enforcement and national security agencies, he said: “I understand and fully respect the anxieties of privacy organisations.
“But I don’t perceive the peril to the UK economy to be significant, regardless of whether or not the UK gets an adequacy decision, which was my testimony to the House of Lords last year. Yes, there are perceived concerns about surveillance issues, but the reality of the situation is that the legal framework of Europe does not require an adequacy decision to maintain international data flows because there are several mechanisms, such as model clauses and binding corporate rules, that can be used.”
However, he added that there was a need to avoid confusion over the adequacy decision for the UK and the decisions that individual organisations face.
“They are not the same, and the degree of peril to international data flows caused by the absence of an adequacy decision is not as great as some people may perceive.”
Preparations reach full speed
Commenting in general about the fast-approaching deadline, Room said awareness levels among businesses were “sky high” and in many organisations there was fair amount of “frenetic activity” aimed at getting as much preparatory work completed in the next month as possible.
“There is definitely a feeling that people are pulling a heavy load with a huge amount of effort being deployed to move things forward. It really does not feel like a notional effort or like tokenism. It feels like there is a lot of resource going into it.
“This is highly positive, because if the data protection regulatory regime is about anything, it is about changing behaviour, and the quantum of effort is symptomatic of a change of behaviour,” he said, adding that the ripple effect of the GDPR was also starting to become visible in some sectors of the economy for the first time locally and globally as far afield as Southeast Asia, with organisations in countries such as Malaysia and Taiwan now beginning to enter the GDPR change environment and ask GDPR-related questions.
Another thing that is starting to become clearer, said Room, is the extent to which the “finer details” of the GDPR are being tackled.
“More than ever before, we are receiving more very challenging questions, such as questions around the interplay between terms and conditions and privacy notices, and the interplay between the GDPR and the marketing lifecycle, which shows that GDPR programmes are maturing into the detail of things.”
