GDPR accountability & compliance: Don’t let the falling bricks hit you!

As I explained at length in my earlier article on the GDPR, businesses, organizations, institutions and other entities throughout the world are facing a huge challenge to become compliant with the new reformed European data protection legislation. The GDPR comes into effect throughout the world on 25 May 2018, and its profound implications are not limited to the geographical area of the EU alone. What needs to be acknowledged is that the EU data protection rules will affect almost everyone as the GDPR takes data security and privacy to an entirely new level. Most important things to know are displayed in Figure 1.

As I highlighted in my earlier post on the topic, GDPR is not just a compliance IT project with some new organizational and technological aspects. The GDPR, as was emphasized by many experts on the subject, extends well beyond the geographical boundaries of the EU and its jurisdiction includes all EU residents (citizens, tourists, visitors, etc.) no matter where their personal data is actually processed even if the entity in question doesn’t have de facto domiciled presence in the European Union. ¹⁾For more throughout assessment and criteria for possible exclusion from the GDPR’s requirements, see Bird&Bird&’s Guide to the General Data Protection Regulation, p. 2, section “Non-EU ‘established’ organizations who target or monitor EU data subjects”.

Ross McKean, now a partner at international law firm DLA Piper, has characterized GDPR as “a paradigm change n the way that data collection and use is regulated,” and the GDPR will end the “era of relatively laissez-faire regulation of data in Europe.” ²⁾Ashford, W. (2016). “EU data protection rules affect everyone, say legal experts.” ComputerWeekly.com, 11.1.2016. The GDPR, although extensive and overreaching, is not the final word though as member countries will still have some room to maneuver around specific topics (in the form of derogations, exemptions, and special conditions), and although GDPR as a Regulation will replace the current Data Protection Directive (Directive 95/46/EC) as such, there won’t be total legislative harmonization throughout EU.

The GDPR is a long, exhaustive legal document containing various requirements, standards, and duties, and it is structured around two main sections, namely, the Recitals (173 in total), eleven separate Chapters under the Regulation itself, and the Chapters are furthermore broken down into 99 Articles, each which defines and sets up different aspects of the Regulation. As shown in Figure 2, Articles 1-50 constitute the primary content of the Regulation, and Articles 51-59 define the mechanisms of enforcement and supervision of the Regulation. It’s important to note that no legislation is isolated island, i.e., different Articles of the GDPR are interconnected, and they are also affected by external regulations, e.g., MiFID II and PSD2 have different aims from the GDPR. ³⁾Beratarbide, E. (2017). “EU General Data Protection Regulation (2016)“. LinkedIn Pulse, 20.2.2017.

As it has been pointed out by various experts and data privacy practitioners, non-compliance is not an option, and failure to adhere the Regulation can result in harsh financial repercussions, additional claims for damages by affected individuals (including class-action suits), possible regulatory intervention, and most importantly, loss of confidence and reputational disaster. ⁴⁾AMOnline (2017). “Management ignorance of new data rules threatens companies with financial and reputational damage.” Market Insight, 17.5.2017; Hopkinson, G. (2017). “GDPR is coming, and it could be a disaster for organizations that are unprepared.” PR Week, 19.7.2017. A recent study by Veritas points out that “organizations across the globe mistakenly believe they are in compliance” as businesses and other entities seem to incorrectly define the meaning of GDPR-readiness vs. GDPR compliance/accountability. Out of 900 business decision-makers interviewed throughout the globe, “only two percent actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.”

Further, numerous studies, news articles, and other sources tell that numerous companies around the globe are actively investing considerable amounts of money, people, and other assets to become GDPR compliant. One doesn’t need to be an expert to understand that investment does not guarantee returns, and as I have pointed out already, GDPR is much more than just an IT project with a little bit of data privacy, compliance and legal. Every single affected company has to figure out how the GDPR will change them from fair, lawful and transparent processing principle to the holistic accountability principle. For example, the financial services industry and mobile network operations face entirely different industry-specific challenges although their organizational challenges can be similar. ⁵⁾Gabel, D. & Hickman, T. (2016). “Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation“. White & Case, 22.6.2016; Dunlop, A. (2016). “GDPR: data protection principles.” Burges Salmon. 7.11.2016; Payne, C. (2017). “The Six Commandments of the GDPR.” The State of Security, 29.3.2017. For example, a bank has a lot of personally identifiable information (PII) that are linked to consumer’s financial stance and his financial behavior whereas an energy company has PII that is related to electricity usage and customer service records. ⁶⁾Korva, T. (2017). Euroopan unionin tietosuoja-asetus energia-alan yrityksen asiakastietojen käsittelyssä. Thesis, Oulu University of Applied Sciences.

The crucial step, as McKinsey’s Daniel Mikkelsen, Kayvaun Rowshankish, Henning Soller, and Kalin Stamenov highlight in a recent excellent article, is to “understand how they can best interpret, measure, and monitor compliance.” So achieving GDPR-readiness is not about implementing a couple of quick-and-dirty fixes here and there but it’s fundamentally an organizational transformation taking place on multiple fronts. Sure, there are various generic plans how to address the GDPR but the time and effort needed to achieve GDPR readiness and compliance is profoundly influenced by the organization itself, e.g., ambitions and goals, preferred approach, the level of senior management engagement, IT architecture and overall landscape, and the operating model. Only after there is agreement on the basic starting points, it’s possible to carry out appropriate analysis of the GDPR requirements and define the particular subset of requirements to be implemented. A similar idea is also shown in Figure 3 that stresses the importance of an internal understanding of GDPR and its demands instead of purely relying on external advisory on readiness and compliance. It’s important to keep in mind that the execution of consent management, the introduction of data protection officers, privacy by design, data governance, data portability, etc. will undoubtedly require trusted vendors and partners but everything depends on the organization itself coming more aware of its daily processes, practices, and routines in terms of the personal data it has and processes.

Too many bricks, too few builders, and way too many plans

Daniel Mikkelsen and others highlight many significant stumbling blocks in the way of achieving GDPR compliance in an article I mentioned earlier. Moreover, Forrester’s Enza Iannopollo has discussed related challenges in a briefing published last year and Accenture recently released a short paper on the basic issues when addressing the GDPR. ⁷⁾Deloitte has also compiled a pretty good overview of the foundations of the GDPR. It’s true that there are numerous strategic, operational and tactical challenges raised by the GDPR but not everything is as important as it seems, e.g., appointing data protection officers is not rocket science although setting up roles and appropriate governance alongside administrative duties is not easy, not simple, but necessary.

So, what are the biggest challenges of the GDPR? It depends on your perspective. Personally, I think that the personal data breach notification, extraterritorial reach, data portability, privacy by design, and proactive compliance (the accountability principle) will pose significant challenges for every business and organization operating and/or processing with personal data.

Daniel Mikkelsen and others argue in their recent article that there five main issues with the GDPR from the organizational point of view. Let’s look at them one by one.

First of all, there is a tendency to “underestimating the scope of the regulation,” i.e., it takes a lot of time to understand what is actually required, defining the actual impacts on multiple issues, and to adequately describe the current state of affairs. In the case of GDPR, there are various activities which are deemed as necessary to achieve at least the minimum GDPR compliance in time. As I explained in my earlier article, the minimum compliance (and accountability) has to be reached in time, and if the organization is aiming to reap further benefits from the GDPR and turn this burdensome implementation into a genuine opportunity, there are numerous ways that real options can be utilized to carry out more advanced strategic planning. For example, let’s just think about the data storage and retention policies for a moment. There has to be some kind of well thought out business logic behind the business-wide storage and retention decisions as these things are not things that the IT should be figuring out and deciding on. As an independent writer Lucia Stefan notes, “GDPR is not only about information security and ISO 27001, it is also about managing the lifecycle of personal data and having the enabling technology” – so just getting rid of the (unnecessary) data is not an easy option. Visualizing the work, in this case, can be a quite useful exercise.

Secondly, there is “uncertainty about how to interpret the requirements.” This is an invaluable insight as there is no silver bullet to determine how one principle is actually implemented. It’s a bit worrisome that McKinsey’s article points out that “most companies have yet to decide how to put these principles into practice.” The legal interpretations of the GDPR principles, writing down general requirements and carrying out impact assessments is not easy as it will require business, operations and IT as well as legal talents to actively discuss and come deeply engaged with the overall GDPR work. Tim Clements has highlighted the importance of documenting assumptions, validating them and assigning ownership to cope with the GDPR requirements.

Thirdly, it’s underlined in the article by McKinsey that there is “slowness in identifying the additional security measures needed.” This is a valid point, but there are also other problems besides overall slowness, e.g., acquiring specific data security talents, building domain-specific critical capabilities, etc. Fourthly, it’s not easy “build and maintain a comprehensive inventory of all their personal-data-processing activities,” and therefore having appropriate data management and technology architecture is of paramount importance. The GDPR requires both the data controllers and data processes to “maintain a record of all categories of processing activities” as stated in Article 30, and as a record, as such, is nowhere explicitly defined, it can mean pretty much everything. Sure, it can be thought that the documentation should be available in written form. Tim Clements has been writing on the GDPR for a long time and has provided an excellent holistic purpose-driven approach in addition to operational data flow mapping. ⁸⁾See Article 30(5) (L 119/51) for specific exemptions.

Personally, I have found Isle of Man Information Commissioner’s portal on the GDPR, French Data Protection Authority’s (CNIL) six-step methodology and UK’s Information Commissioner’s Office (ICO) extensive asset library to be pretty useful on these matters. ⁹⁾Just compare these to the Finnish Data Protection Ombusdman’s GDPR website. For some other data protection documentation available through European authorities, see an article published in pdpEcho blog. Isle of Man’s Information Commissioner has created a vital document titled “Know Your Data Mapping the 5 W’s“, and it contains 5W’s of the GDPR. ¹⁰⁾5 Whys is a classic method to discover cause-and-effect relationships.

I had collected the original 5W’s (Why, Whose, What, When & Where) from the original document and complemented it with additional remarks and questions. ¹¹⁾I have attached additional explanations based on Carol A. F. Umhoefer and Caroline Chancé‘s important contribution where they decipher CNIL’s six-step methodology for GDPR compliance.

Why… (purposes and reasons of processing)
Whose… (categories of persons)
What… (categories of personal data processed, sources of data, sensitive data, and legal basis of the data)
When… (when the personal data is obtained, to whom, it may be disclosed and why, and how long it is retained for)
Where… (identify a “storage location” and data transfers for each of the reasons for processing)

—

is personal data processed (or stored)? ¹²⁾In addition, as Umhoefer and Chancé explain, it’s essential to identify to additional things: Who is processing information? (identity of the data controller, the persons in charge of the processing operations and the data processors) and How is information processed in a secure manner? (security measures in place and planned).

This is not an in-depth exercise, as the Information Commissioner’s document clearly states, but rather it can be used to establish a baseline and serve as an additional document to support further gap analysis. Why are these 5W’s necessary? Every organization has to acknowledge and understand their data inventory and mapping of the current data processing activities, and also, data storage and data retention have to be known. CNIL has, further, created a manual for Privacy Impact Assessments in 2015 (although this was published before the GDPR took its final form, it’s still useful as a methodological perspective), and they have also published data inventory template (in French) as part of their six-step GDPR methodology. ¹³⁾The GDPR requires a lot of documentation to be maintained, so the records of processing activities is just one part of the overall documentation stream.

There are several illustrative examples available of these different records for both controller and processors as seen in Figure 5. It’s noteworthy that in this example different categories of personal data, the purpose of processing data, etc. are stated explicitly. What the document doesn’t say is that just collecting a record is not enough according to Article 30(1-2) as there is the magic word maintain. What this means in practice is that the organization in question, if an enterprise or organization in question is not for some reason exempted from maintaining records of processing activities, has to carry out organizational design in order to assign appropriate responsibilities throughout the organization so that for example records are kept up to date, e.g. instead of every business unit creating its own records, try to offer everyone a single model template and establish a process for exceptions handling. ¹⁴⁾Forcepoint (2017). “GDPR Technology Mapping Guide: Personal Data Inventory“. Solution Brief – Part 1.

Fourthly, and lastly, there is “lack of capabilities to fulfill their obligations” according to Daniel Mikkelsen and his co-authors. Mikkelsen and others provide some relatively simple examples of “the capabilities they will need to execute data subjects’ rights in a timely manner” but they are missing the whole point. It’s not just about “building IT capabilities to fulfill these requirements” or “consolidating data from disparate systems” but actually ensuring constant data protection at the enterprise-level and conceiving a front-to-end-to-front kind of GDPR governance system that ensures at least minimum compliance well before the GDPR will be enforced in May 2018. Only to reinforce my point, just take a look at extensive Dell Survey on the GDPR awareness and preparation conducted last year. Here are some highlights from the results:

More than 80 percent of respondents say they know few details or nothing about GDPR

Close to 70 percent of IT and business professionals say they are not nor don’t know if their company is prepared for GDPR today, and only three percent of these respondents have a plan for readiness

More than 75 percent of respondents outside Europe say they are not or don’t know if they are prepared for

GDPR Nearly all companies (97 percent) don’t have a plan in place when GDPR kicks off in 2018

The whole issue of capabilities is critical, and it’s not adequate to condense the matter to plain vanilla technology problem. As noted by Marc van Zadelhoff from IBM Security in a recent article published in the Harvard Business Review, there is a global cyber security talent shortage. Also, Kasey Panetta from Gartner has discussed this issue, Ian Chant has weighed in with additional insights, and Deloitte has put forward a paper proposing augmented security approach to deal with the problem. So is this mainly technology, process or people issue? As Rita Heimes and Sam Pfeifle estimated last year that “as many as 75,000 DPO positions will be created in response to the GDPR around the globe”. Out of the whole DPO stock, we’ll need approximately 28 000 DPOs in Europe and the United States alone to meet GDPR requirements. These are large numbers. I am not a cyber security talent expert, but I assume that one problem is the shortage of hardcore technical skills (and no, I am not downplaying the importance of soft skills in any way).

What can be done? An optimistic outlook

So, as it has been now pointed out, there are various challenged with complying with the upcoming GDPR. Based on the McKinsey’s article, there are at least eight different ways to tackle the problems posed by the GDPR. You can check out the article to assess if you find these suggestions worthwhile. I will just point out a couple of things to consider.

First of all, the GDPR action plan should be based on a much more wider strategic assessment of numerous ongoing compliance projects, e.g., PSD2 and MiFIDII have considerable overlap with the GDPR. This evaluation should include comprehensive, current state analysis to figure out as-is technical, organizational, financial and behavioral constraints. It’s also crucial to find out if the GDPR could be the standard for the whole company in that case that the company is multinational, and therefore a stakeholder management has to be in place towards local supervisory authorities. For example, Finance Finland has organized numerous industry-specific training sessions, and I think that it’s essential for competitors to coopete to find out the baseline.

There are various ways to be GDPR-compliant. The GDPR work has to be based on some kind of governance framework that assumes the responsibility of instituting organization-wide awareness of the changes caused by the GDPR and sets up the GDPR program with clear objectives to achieve for different time intervals and maintaining an overall big picture of all the activities related to the GDPR. Everyone, not just the C-suite and senior management, has to know what happens when GDPR is enforced next year. The governance structure is in place to make sure that there is an accountability roadmap for carrying out assessment and a blueprint to design the GDPR work so that there is consensus on the things that need to be accomplished in time. The mission of the governance structure is to guide the GDPR-related work through two fundamental principles of the GDPR:

1. The core principles relating to processing of personal data: (a) lawfulness, fairness, and transparency, (b) purpose limitation, (c) data minimization, (d) accuracy, (e) storage limitation,  (f) integrity and confidentiality, and (g) accountability as on overreaching principle to demonstrate compliance. (Article 5) ¹⁵⁾See Recital 61
2. Data protection by design and by default (Article 25)

As one company, namely IT Governance, has proposed, the actual work following the establishment of the governance structure is to appoint and adequately train the Data Protection Officer(s) (DPO), carry out data inventory and data flow audit, assess the compliance gaps, carry out Privacy Impact Assessments (PIA) and security gap analysis, remediate, test data breach response process, and most importantly, continuously monitor, audit and improve the process along the way. ¹⁶⁾Here you can find a more recent presentation by IT Governance and Agilisys. This model, which closely resembles the following CNIL six-step methodology, is something that many consulting and research and advisory firms have proposed in various formats. One thing to keep in mind is that consent management, certain individual rights (i.e., the right to erasure/right to be forgotten and the right to data portability) and transfers of personal data will have a significant impact on technologies, people, and processes. It has been estimated by Veritas Technologies that “companies will spend an average of €1.3 million ($1.4 million) on systems and training to comply with the GDPR”. It should be noted that the direct GDPR compliance costs may vary a lot depending on the industry and organization in question, and it’s clear that some of the compliance costs are not just one-off. ¹⁷⁾Intended direct costs are just one part of the equation as the costs of non-compliance have to be weighed in as well.

Secondly, it’s important to prioritize all the GDPR-related implementation as described by the third step of the CNIL methodology and institute a risk-based assessment of all the ongoing GDPR work. This is easier said than done but some kind of prioritization has to take place as we don’t live in a world of superabundance with no scarcity, so opportunity costs and trade-offs have to be carefully thought of. ¹⁸⁾On budgeting for a GDPR project, see Bräutigam, T. (2016). “How to budget for a GDPR project: A primer“. IAPP, 29.11.2016. So, what can we do right now to be 0.01% more compliant? What is our baseline and where are we aiming at? What investments will have the highest return before the GDPR deadline? What are the biggest risks and what can be done to mitigate these? Where are the biggest compliance and accountability gaps? Who do we need to help us out and when do we need this help? How effective are the current data security and data privacy methods utilized? What about Article 28 and outsourcing agreements?

Learn to juggle with the GDPR

Gartner has predicted that “by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.” Take a deep breath and think through what you just read. More than 50 % of companies will not be in full compliance with the GDPR. Every organization working with any kind of project will always face the classic triple constraint as shown in Figure 6. A project aiming at GDPR compliance is no different as scope, schedule and budget have to be balanced against risk, resources, and quality. One thing, scope (“compliance and accountability with the GDPR), is nonetheless given as well as the schedule thanks to the GDPR’s requirements. Everything else is, in theory, negotiable but the scope with a specific attention on data security and data protection is fixed. There are various Rumsfeldian epistemic quandaries facing every project, and it’s essential to recognize the fact that unknown unknowns will be the showstoppers. Remember to recognize the assumption and validate them. For example, in the financial services industry, the legacy IT systems are mostly designed in a way that no data can be permanently deleted.

As Martin Zugec rightly emphasizes, “Security is no longer an ad hoc process, it needs to become our new lifestyle.”

As I pointed out in the earlier paragraph, time is running out (schedule), but minimum compliance has to be achieved in time (scope, quality & risk). Organizations that are not prepared for the GDPR are at risk of being fined by the supervisory authorities, disciplined by the markets, and facing considerable brand damage and revenue losses, while those corporations and organizations that are already moving towards full GDPR compliance can standardize, harmonize, implement and monitor their end-to-end activities. We will see which players are able to achieve the minimum standard, and which are already able to carry out overall customer data transformation to maximize the business benefits of the GDPR. As Daniel Mikkelsen and others bluntly point out, “These are compelling reasons to treat the new regulation as a high priority for the whole organization, not just the risk, legal, and compliance functions. And with the implementation date imminent, companies need to act fast.”

Every organization affected by the GDPR should already be working with the implementation to make sure that everything will be tested and operational in May 2018. But remember that there will come a day that you will face at least one unknown unknown. ¹⁹⁾Just keep in mind that Dunning-Kruger effect is still there. Who do you turn to? Remember that these are both epistemically and meta-epistemically beyond your reach. The only answer is experience accumulated over time.

—