November 11, 2020
What is GDPR?
This article encompasses the effects of GDPR on the world and elaborates the role of technology by explaining Gartner’s “Technology-enabled privacy program.” It further explores what organizations can expect in the coming future.
What has happened until now?
The EU’s general data protection regulation is now a law and has been protecting the personal data of European residents for the past year now. It has expanded the rights of an individual, giving them substantial control over their sensitive data and how it is handled.
The number of notifications received has expanded significantly (206,326 reports), especially from individuals regarding their rights (46%). Officials have already dealt with more than half of the 206,326 complaints, with the majority of the rest still ongoing. The regulatory authorities are also beefing their employee counts to meet the demands.
Large organizations such as British Airways have been slammed with fines as high as $230 million. The Information Commissioner’s Office has become a prominent regulator in the digital space. It fined Facebook $626,000 last year over the Cambridge Analytica scandal. Examples like these indicate that there is a significant gap in the degree of automation and infrastructure that is required to be compliant with regulations.
The need to comply with GDPR, among other regulations, is now essential to organizations worldwide. Data protection has become an increasingly important business issue and affects organizations of all sizes, cutting across all industries. Knowing where the sensitive data is and protecting it is now imperative to preserve individual privacy rights. Yet, there is still a lack of understanding of how technology can help in the fight to protect sensitive data and how significant a role it must play. This explains why 74% of organizations have failed to address the one-month notification response limit required.
Role of technology
As more countries adopt privacy laws, many organizations have noted this shift have introduced privacy policies with the intent to be a part of the post-GDPR modern data world.
Gartner calls this program “Technology-enabled Privacy Program.” The three stages of this program are Establish, Maintain, and Evolve. These stages are not an indication of the maturity level; for example, an organization in the early stages of its privacy program can choose to use capabilities from the Evolve stage, based on their business drivers and associated privacy risk.
This stage elaborates on fundamental capabilities and necessary tools for a privacy program.
This includes tools that can find all the locations where the sensitive data is present in the structured, unstructured, and semi-structured databases. Knowing all locations of your sensitive data resides is the first essential step in data protection.
This involves the classification of existing and new personal information. According to Gartner, Classification should no longer be exclusively limited to the conventional security CIA (confidentiality, integrity, availability) triad, but should also include details like purpose, risk, and granular data retention policies.
Risk Assessment and tracking
Different sets of personal data have different risks. The risk assessment process involves adding risk scores to all sets of personal data and actively tracking them. This helps in risk-based prioritization and subsequent mitigation.
Under laws like GDPR and LGPD, it is an explicit requirement to demonstrate documentation of personal data and how it is managed. This includes who has access to the data and who it is shared with. These logs are needed for auditing.
Gartner defines data minimization as “deletion of large swatches of data that is no longer in use, and that does not have any regulatory retention requirement.” Other alternatives of deleting are tokenization
Notice and Policy
Notices are a public commitment to users and policies are an internal commitment by the organizations on how they will handle their personal information. Notices and policies must be regularly reviewed and updated to align with regulatory requirements and consumer demand; reviews should be conducted yearly.
Universal Consent and Preference Management
The intent of “consent” is to extend control to the end-users allowing them self-determination over how much of their data to expose, to whom, and for what purpose, with the option of changing their preferences at will. Consent and Preference Management consists of the consolidation of these choices.
Subject Rights Management
This is a family of requirements under multiple laws such as (EU’s GDPR, Brazil’s LGPD, and CCPA) where organizations owe a structured response to individuals, explaining how they handle personal data. Execution of Subject Rights management requires stakeholder collaboration between involved departments and automation.
In this stage, organizations must perform ongoing functions such as administration, resource management, and scalability of repetitive tasks that will help maintain their privacy management program over time. These functions can be decided based on previous problems encountered in the organization’s privacy management program.
Measurement and Reporting
Follow a risk-based approach to privacy and conduct risk assessments, including “data protection impact assessment” (DPIA) for high risk-processing activities. Commercial software tools should be used for data inventory and mapping. These measures require transparency in accountability with business process owners and an agile risk-based reporting structure. The action plan is based on the organization’s risk prioritization following their risk appetite and tolerance levels.
Data Mapping/Life Cycle Visualization
One of the most important steps to building an effective data privacy management program is to map all the data in your organization and build an inventory. If you’re unaware of the data you possess, what it’s being used for, how it’s being used, and by whom it is difficult to know if you are meeting the necessary privacy requirements that impact your organization. Without this information, it also becomes difficult to respond to data subject access requests (DSAR) since you wouldn’t know where the data resides.
PIA (Privacy Impact Assessment) Automation
Although many organizations start the process manually with spreadsheets and questionnaires, it becomes difficult to administer over time. PIA automation tools allow API-driven triggers to initiate the assessment process and track it through a predefined workflow until the process is concluded or flagged for remediation. PIAs identify and guide the use of personal data across the organization and are one of the keystones of a privacy management program.
Incident Response Automation
Automation in incident response removes the inconsistencies and subjectivity prevalent in a manual process. Almost every organization has an incident management process in place. Privacy-related incidents, such as breaches, require existing processes to be updated to assess whether an incident requires disclosure. Solutions in the market will allow for incident handling to deal with cases of privacy-related occurrences so that the data protection team can be notified, and appropriate steps can be taken.
Privacy centers are also referred to as self-service portals. These allow the organization to view data, how it is being used, and to administer user consent choices. A high level of privacy management maturity can be seen in organizations that have well-developed preference centers, which gives maximum control to the owner, permitting a smooth subject rights fulfillment experience.
In this stage, the organization uses specialist tools that focus on privacy risk reduction. These tools have minimal or no impact on the organization’s utility.
The GDPR outlines a specific set of rules that protect user data and generate transparency. It allows companies to collect anonymized data without consent, use it for any purpose, and store it for an indefinite time, as long as companies remove all identifiers from the data. Similarly, the GDPR also encourages pseudonymization and distinguishes it from anonymized data. The objective isn’t simply to eliminate personal data but to reduce the risk to a tolerable level as per the organization’s risk appetite. Effective processing requirements mainly dictate that personal data is not processed in its raw state; rather, it is anonymized or pseudonymized for the objective of processing and with the explicit purpose of reducing risk to individual privacy. These tools should also be able to test the efficiency of the anonymized/pseudonymized datasets regularly to confirm that the effort involved in reidentification is balanced with the risk that the data represents.
Analytics and Business Intelligence (ABI)
One of the difficult challenges to address in the privacy program would be the use of ABI. Solutions in this category are complex and usually depend on equally complex technology, such as differential privacy or homomorphic encryption. These processes allow organizations to balance their legitimate interest to mine large data pools for insight with the individual’s privacy rights.
Data End-of-life Controls
As organizations get a better understanding of their data, accurate, and automated privacy risk, retirement becomes routine. Organizations can choose from a list of risk reduction methodologies to treat personal information at the end of life with a balanced, risk-based approach in both production and offline storage/backup environments.
The current scenario, and what we can expect to see in the future
The GDPR has taken the data privacy world by storm, and organizations realize they can’t cut corners anymore when it comes to dealing with personal data. Many organizations have been fined heftily, and many more fines will likely be imposed.
Despite the regulation coming into effect in May 2018, most organizations are still not equipped to comply – despite the prospect of being fined. According to recent research conducted by Capgemini, which surveyed over 1000 privacy and data protection personnel, it was found that even though many organizations were confident that they would be compliant before the GDPR hit, this wasn’t the case in reality and they’re still struggling to achieve complete compliance. Now, only 28% surveyed believe that they’re fully GDPR compliant, 36% believe that the requirements of the GDRP are too complex and that it takes a massive effort to implement, and 33% say that the costs of becoming compliant are quite restrictive. “For many organizations, the true size of the GDPR challenge only became apparent as they began the initial projects to identify the applicable data that they held. As a result, only the most focused organizations had completed their GDPR readiness by the time the legislation came into force,” said Chris Cooper, head of cybersecurity practice at Capgemini.
But what these companies don’t realize is that apart from carrying the risk of being fined, losing customers, financial and reputational loss, they’re also losing out on the benefits that compliance brings. Of those surveyed, 92% of the companies that are fully GDPR compliant believe that compliance has given them a competitive advantage, with increased customer trust, customer satisfaction, and brand image, leading to their overall increase in revenue. Hence, instead of focusing only on the prospect of being fined, organizations should strive to be compliant for overall business growth and as a driver for increased customer trust.
Data protection authorities in all member states have been increasing staff numbers and expanding their areas of expertise in their quest to become fully compliant. For instance, the Irish supervisor has increased staff numbers from 30 in 2014 to 130 in 2018 and has plans for further increases during 2019. Many technology giants, including Facebook, Twitter, Microsoft, LinkedIn, and Google, have their European headquarters in Ireland.
Of course, just people are not enough. Complete compliance can only be achieved with the help of technology-enabled solutions. According to CPO Magazine, organizations are actively evaluating and implementing supporting technologies.
It has been a year and a half since the GDPR was rolled out, and despite a good beginning by the organizations and regulators, the full effects of the regulation are yet to be seen. Data protection authorities have been adjusting to their expanded roles and organizations are yet to understand the crucial role of technology.
“The introduction of GDPR was not a deadline but the start of an ongoing process, and there is a lot more work to be done. That said, we will not hesitate to act in the public’s best interests when organizations willfully or negligently break the law,” said a statement from the UK’s Information Commissioner’s Office (ICO).