With just four months to go before the General Data Protection Regulation compliance deadline, there is a growing anxiety in many parts of the regulated community that their GDPR plans may not be fit for purpose
Only by ensuring they are able to address specific data protection scenarios can organisations restore confidence that they are on the right track, according to a top data protection and legal adviser.
“As the compliance deadline for the EU’s General Data Protection Regulation (GDPR) approaches, a wider range of people within organisations are getting involved in the internal compliance programme and some are expressing concerns that important data protection risk scenarios have not been addressed,” says Stewart Room, data protection lead at PwC in the UKand globally.
“There is growing concern that many organisations may not be as well equipped to meet future data protection challenges as they would have hoped, as internal audit and other parts of the business start to view data protection risks through their own particular ‘lenses’,” he told Computer Weekly.
According to Room, who is also PwC’s cyber security legal services lead, organisations have the opportunity to learn critical lessons from what has happened in the world of cyber security in the past 10 years to avoid going through the same painful, costly and lengthy learning curve.
“After going through the repeated pain of failing to deal with the onslaught from cyber attackers, security professionals have recognised that the goal is not security per se, but to identify and address the important cyber security scenarios that matter the most, so that the decisions about treatment can be driven towards those priority goals,” he said.
Room suggested that it follows naturally, that by recognising that the goal of the GDPR is for organisations to be able to spot and address important data protection scenarios, the regulated community could avoid potentially years of painful failure by learning the lessons of cyber security.
“The good news is that we already know what the scenarios are for data protection and how they work, but the question is whether an organisation’s data protection programme takes these things into consideration,” he said.
Although data protection scenarios will differ from organisation to organisation, Room said each has a history that can be drawn upon to create an explicit picture of what its most important data protection scenarios are, enabling it to make informed choices about its priorities.
“This means countries, industry sectors and individual organisations can actually plot out the major and most important data protection scenarios to address,” he said.
Room believes a lot more can be done with this sort of scenario-based planning than many organisations have done with a compliance-based approach.
A compliance-based approach has resulted in a clear pattern of data protection programme design across industries and sectors, which means most organisations are building to a similar template, he said.
“With the diversity of organisations in the economy, this similarity is puzzling until you realise that they are all essentially building a legislative compliance programme,” he added.
While most of these organisations believe their data protection programmes are based on a risk-based approach, Room said this cannot be true because risk is different for every organisation.
“If you have a standardised model and you believe it is risk-based, and there is very little difference across the entire economy, that can only be explained as a legislative compliance programme, and effectively what is being addressed are discrete requirements in the Articles and Recitals of the GDPR legislative text,” he said. “There is no other explanation for it.”
As a result, said Room, the programmes are reflecting the legislative text of the GDPR that was adopted by the European Commission in 2016, rather than all the perspectives and concerns that have emerged subsequently.
All the concerns raised by the Article 29 Working Group and data protection authorities throughout the EU also need to be addressed in a programme that delivers real risk mitigation or delivers mitigation of risk seen through a range of “lenses”, he said.
“This is important because legislative risk is seldom the source of real risk in a business, but rather just one of the yardsticks against which other areas of risk may be judged,” said Room. “If you have a risk in your business, you can measure it against the yardsticks of legislative compliance, reputational damage and economic loss, but legislative compliance on its own cannot address all risk.
“And if most data protection programmes are built to address legislative risk, the question is: how is the business satisfied that it is going to address real scenarios of risk? My perspective is that the ideas of real risk are often not reflected inside many GDPR programme designs.”
New set of risk ‘lenses’
As a result, when these programmes that were designed a year or more ago have been examined more recently through a new set of risk “lenses” by a new and wider set of experts within organisations, shortcomings have been identified, leading to a growing concern that things are missing.
Room believes this is one of the key drivers of the anxiety now being voiced by members of the regulated community as the GDPR compliance deadline approaches.
“Parts of the business that were not part of the original programme design are struggling to see how the data protection risks that they have identified are factored in, and so there is a collective anxiety that the programme may not have been designed properly and is therefore not capable of delivering the necessary outcomes,” he said.
According to Room, it is vital that every data protection programme has some single convergence point designed in so that all the workstreams aimed at tackling specific problems will converge to ensure that all the likely major data protection scenarios can be addressed.
Fortunately, Room also believes it is not too late to change direction. “There is still time to focus on priority scenarios and I encourage organisations to take advantage of the time that is remaining to them to do so,” he said.
“Ploughing on in the knowledge that risks have not been properly identified would be a grave mistake. Taking action now can have an impact, reducing the opportunities for failure and the effects of failure.
“Moreover, in some organisations, the changes might be as simple as connecting some of the programme artefacts into workable end-to-end processes for addressing problems when they materialise.”