tashka2000 - Fotolia

Much GDPR prep is a waste of time, warns PwC

Many organisations are not paying enough attention to technology in their preparations for the General Data Protection Regulation and risk compliance failure

Many organisations are focusing their preparation for compliance with the EU’s General Data Protection Regulation (GDPR) on the wrong things due to a failure to understand the real risks, according to a top legal adviser.

“If you do not focus on the technology stack over the next seven months, and you are responsible for a GDPR programme, you know where the pain is coming from,” Stewart Room, global lead cyber security and data legal protection services at PwC, told attendees of the IP Expo Europe 2017 in London.

Room said it was important to see the GDPR as just “another step in the 50-year data protection journey in Europe”, but warned that it built false assumptions about organisations’ data protection maturity.

“Because of those false assumptions, we will end up in inevitable failure,” he said. “Regardless of the amount of time and resources you may have, you will never deliver on the GDPR as designed.”

At the heart of the problem, said Room, is the fact that the basic principles of data protection date back to 1968, and in many organisations they have still not been incorporated into the operational reality of business.

The fact that many organisations are engaged in data mapping exercises is evidence of this, he said, because they are only now trying to find the data they should have been securing for years.

But, according to Room, the GDPR is designed under the assumption that organisations have long since got on top of this.

“When the GDPR was first published in 2012, the lawmakers assumed that the gap that we needed to travel in order to make our organisations fit for purpose might be somewhere between a two- to four-year journey, but the fact that so many are still busy with data mapping exercises tells us that the gap is substantially greater,” he said.  

Data security is a key requirement of data protection, and the GDPR assumes that this is something organisations have got nailed, but this is a key false assumption, said Room, because many organisations have not achieved the assumed level of maturity.

In reality, he said, many organisations are “performing markedly worse than the worst expectations of the lawmakers…The lawmakers assumed the GDPR would be deliverable, but the evidence of the economy is something totally different”.

Quantum of illegality

Based on the data collected by PwC through conducting GDPR readiness assessments, Room said the consensus is that “the maturity levels are such that the GDPR is impossible for most organisations”, and that, as a result, “all of us are going to carry a quantum of illegality into May 2018 and beyond”.

A key part of this, he said, is the fact that most organisations’ GDPR preparations do not take into account the day-to-day cases in which EU regulators are forming a point of view on data protection, which is all part of the GDPR, but not widely known.

PwC publishes an enforcement tracker that looks at data protection decisions in 21 jurisdictions to understand the root cause of failure and the requirements for change, said Room.

“And the single interesting common denominator across all these cases is that entities are failing, despite their investments in data protection,” he said.

“The organisations that are getting the book thrown at them include some of the biggest spenders in this area with some of the biggest [data protection] teams.

“And there can be only one reason for this, which is that they are obviously doing the wrong stuff.

“The activity they are performing is not addressing something of importance, and that is risk. The work is not addressing risk.”

But organisations can only understand risk if they start to define it and if they understand the wider context within which data protection and the GDPR is being contemplated, said Room.

Read more about GDPR

Although some organisations claim to be following a risk-based approach to GDPR compliance, Room said that if that activity is not “anchored to a taxonomy of risk”, the activity is “purposeless”, and purposeless activity is one of the quickest ways of being hit by enforcement action, he said.

For organisations that have not done any GDPR preparation with just seven months to go before the compliance deadline of 25 May 2018, Room said the biggest risk is that all the third-party service providers that could help have already been snapped up and are working to capacity.

In addition to legislative compliance risk, there is also the risk of failing to deliver a GDPR programme, he said, and regulator risk because the Information Commissioner’s Office and all the other EU data protection authorities also form part of the spectrum of risks.

“If you have a fantastic GDPR programme, it will be of no help if, when the regulator knocks on your door, you poke him in the eye because posture is as much a component of risk mitigation as delivery capability,” said Room.

“So where you need to go with your GDPR programmes is to understand the wider regulatory legal landscape and context, and then recognise the false assumptions and the inevitability of illegality, to make choices that are purposeful and connected to the things that matter most.”

Coping mechanisms

But there are some coping mechanisms, said Room, such as the “adverse security test”, which involves understanding who will challenge an organisation’s data protection framework and what they will see. Challengers include hackers, disgruntled employees, politicians, the press, contractors and regulators.

“The premise is that those who would challenge your data protection framework will challenge the things they would see, so if you understand who they are and what they will see, you will have found a mechanism to identify the future burning platforms of the GDPR,” he said.

“Each challenger has different perspectives and will see different things. The hacker, for example, will see the security vulnerabilities, which is what they will attack. But if you can understand these real scenarios of risk, you will still have time to adjust your GDPR programmes so that you are not performing purposeless activity, but instead are addressing the things that really matter.”

In closing, Room said that all theories of business transformation focus on changing paper, changing people and changing technology.

“Collectively, that means organisations become cyber secure and data accurate,” he said. “However, we are seeing a massive amount of effort focusing on the paper – the creation of paper, while very, very few GDPR programmes are making their way into the technology stack in any meaningful sense.

“The great irony of this is that data protection law exists only because of a fear of technology and the threat that that poses to citizen and human rights.

“But while technology is the threat, it is also the solution, which is why the GDPR requires the implementation of ‘appropriate technical and organisational measures’ across the entire landscape of your business,” said Room, stressing the importance of organisations focusing on that in the next seven months.

Read more on Privacy and data protection