Organisations are failing to address the most important risks because they do not have a structured approach to complying with the EU’s General Data Protection Regulation (GDPR).
This is the perspective of multidisciplinary practice PricewaterhouseCoopers (PwC), which has global insight into how organisations are preparing for the GDPR.
“The overriding impression is that entities are tackling the GDPR without vision for their desired end state,” said Stewart Room, global head of cyber security and data protection legal services and UK data protection practice lead at PwC.
“The concepts of vision, strategy and structure are part of classical approaches to business transformation, where you develop a vision for your desired end state, then you can put in place a strategy to deliver that vision and the structures through which this will occur, which are around people, processes and technology,” Room told a Westminster eForum event in London.
Ideally, he said, an organisation’s vision should take into account its economic goals for data and its risk position, which could include legal non-compliance and delivery risk.
“For example, if an organisation is tackling the GDPR for the first time now [with just 13 months to go], it may find that the skillsets are already sold out and they may not be able to get the people they need to support them, so there is a delivery risk,” said Room.
An organisation’s vision for the GDPR should also take account of its legal obligations in terms of the regulation as well as its moral and ethical obligations.
Without a vision encompassing all these things, organisations typically engage in “purposeless activity” and when they are “just doing stuff”, they have only a few points of reference and commonly end up with little more than a “legislative compliance programme”, he said.
Substantive harms issues
As a result, organisations may spend time on technical legal matters that may not address the “substantive harms issues” in terms of the company’s economic goals and obligations, said Room. But with a vision, organisations should be able to identify the matters that are most important to them, and then not get lost in “esoteric points of legal compliance”, he said.
If organisations get lost in a legislative compliance approach, the may miss the big areas of real risk, warned Room, saying that the best approach is for each organisation to think through exactly what the GDPR means for it.
“The absence of a vision for the GDPR is the major problem that needs to be addressed, not the technical nuances of legal interpretation,” he said.
Room also expressed concern for small and medium-sized enterprises (SMEs) facing the challenge of GDPR compliance, saying they typically need much more support than they can acquire internally.
“We need a very strong and well-equipped regulatory office,” he said. “We need much more investment into the Information Commissioner’s Office [ICO], not only to enforce the law, but to provide guidance and support to entities that require it and are looking for help.
“We also need more engagement from representative bodies in the business community to help fill that gap.”
Read more about the GDPR
- Businesses should be forging ahead with preparations to comply with the EU General Data Protection Regulation regardless of Brexit, says the Information Commissioner’s Office.
- The GDPR and global enforcement work will place an extra work burden on the ICO, but government has collaborated on a new funding plan.
- At the latest CW500 club, experts discussed how to make sure your organisation is ready for GDPR compliance.
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
Room added that if the SME community is left as it is, it may get lost in the technical legal compliance issues and miss the real risks.
“And if we do get to a tough enforcement environment, SMEs will be the least well-equipped to defend themselves, so we need much more help for SMEs,” he said.
A third area of concern is around skills and expertise to ensure that technological controls can provide the necessary support for compliance with the GDPR, said Room.
“When I look at the technology industry, I am seeing a huge amount of confusion about the performance of technology and the role of the technology provider within the GDPR landscape.
“There are two issues: technology as functionality, which is very good, and technology as data management, which is very poor.”
Fear of technology
According to Room, data protection law exists because of a fear of technology, and it follows that technology is a huge part of the solution. “But much of the technology on offer is focused simply on functionality, storage and accuracy rather than data management components that are needed to be able to deliver the GDPR properly into the technology stack,” he said.
As a result, there is a massive problem in the economy, he added. “What we are seeing is a huge amount of paper being generated with the GDPR, but very little transposition of the control environment into the technology stack.
“The data protection professional is very good at drafting paperwork and creating long lists, but organisations must ask themselves to what extent they are confident that their technology stack is going to deliver all the right principles and build the requirements of the GDPR.
“I am not confident that many organisations are there yet or understand how to get there, and with mechanisms such as mandatory breach disclosure, that they are able to provide a very clear line of inquiry into the technology stack for all serious breach cases.”
Room urged organisations to question the extent to which they are ready to do that. ............................................................................................................................... .............................................................................................................................