Behind the curtains of GDPR – one year after
By Sergey Kishkurno
The Dark Side of the Moon
At the moment, when GDPR turned into force in May 2018, EU companies had been awaiting a smart, step-by-step process. But in fact, from the very first day we’ve been watching a kind of a thriller, where companies failed to cope with regulation changes in time and fell under regulator’s sanctions. However, to a large extent it is not logical: due to the fact that not so strict, but systemic regulation in the data protection field is in progress since the beginning of the 2000s in all European countries. It is unfair to blame business for light-minded attitude to the problem.
From the side of one of the key public authorities in Ukraine I was asked two simple and evident questions regarding personal data processing of EU citizens:
- What kind of audit we should pass through and what the results we can obtain?
- Not waiting for official compliance audit how we can ensure that we are fully compliant with GDPR, and which document can certify this compliance?
I tried to answer without gloss-overing the reality, having very little choice of options. And these answers cannot satisfy myself.
Actually, even public organizations sometimes have to act by guess, aiming to guarantee protection of personal data. Obtaining a conclusion, or even certification, from an expert company is a good step but not a sufficient one. To get guaranteed compliance with GDPR is a key vague task due to several questionable points; for example, let’s consider the following:
- Organizational context of DPO (Data Protection Officer) position. We can compare with the case of describing a position of the head of compliance function for financial organizations (see ‘Principle 5: Independence’, Compliance and the compliance function in banks, Basel Committee on Banking Supervision). It is just the same general level but only a number of clear directions are given to define context.
- Excellent principles ‘Privacy by Design’ and ‘Privacy by Default’ are perfect to consider strategically to design goods and services but they are impractical in making changes with deadlines in context of preparation for compliance audit.
- It is a good idea to implement ISO 27000 principles in full too and build information security management system (ISMS). So, such solutions as DLP, SIEM, DB encryption are very useful and bring the organization closer meeting GDPR requirements. The problem is that it’s getting closer but simply not enough.
In general, today GDPR compliance is a real challenge for business, and it copes with this challenge as it can.
Why is it so complicated?
It is well-known that one of the most violate cases of personal data breach was reported by UK Fraud Prevention Service in 2013. Obviously, such cases are threatening the rights of EU citizens, and cannot remain unanswered. Both legal and technical preconditions were indisputable and logically led to the update of regulation in the form of GDPR. Data owners were clearly promised that their rights and freedoms will be protected in an effective way.
Several months before May 2018 everything had looked not so bright in practice. Numerous surveys by Capgemini, Big-4 and others showed complete readiness for GDPR compliance only for less than 10% organizations. Others had a lot of work to do and part of them had not even started at all.
Why GDPR requirements turned out to be so sophisticated to implement?
One of the key reasons is that we have legal but not technology-oriented regulation. Just to compare it with ISO 27000 standard, it is evident that accent on legal approach leaves a lot to add and interpret for IT ecosystems in organizations. But on the other hand, GDPR implies audit approach very similar to one used for information security field.
GDPR was brought into force with immediate effect, there was no harmonization period for national legislation of the EU member states. In this way GDPR sent a clear message to EU residents that their personal data would be protected more effectively than ever. Fine! Nevertheless, it didn’t mean the replacement of national ePrivacy laws. By its own initiative, Germany got in time with its national law DGSVO that was aimed to the harmonization. But still, some delicate questions remain in practice. Luxemburg indeed has replaced its national law by GDPR. But it has no followers so far. Maybe it works well for smaller countries. In fact, we have rather unique situation with legal framework in every EU country.
What are the opportunities to move forward? Among the most critical tasks I would single out the following two:
- Update GDPR with completeness criteria to show when an organization are fully compliant in clear and indisputable way. Why not to use S.M.A.R.T.-based approach? Really, organizations need such criteria to organize processes and make all the necessary changes as well as effectively interact with DPA’s during audits.
- Create statutory certification requirements and manage such a certification as a legal and authorized standard empowered at the regulator’s level. Setting this touchstone would be a huge step forward, and it would definitely improve the understanding between the market and the regulator. Moreover, periodic statutory re-certification would gear up creating the best practices and will inspire spreading them on all the related markets.
Positive Effects and Automation
Obviously, introduction of GDPR has the following positive effects:
- In spite of the issues above GDPR indicates a significant step forward in systematization and standardization of ePrivacy norms. Data owners obtain positive signals that their personal data becomes more and more protected.
- This is a great incentive for all organizations to pay attention and make much more efforts in protection of personal data;
- Through the principle of ‘Privacy by Design’ GDPR influences on evolution of information systems, creating valuable addition to the requirements;
- GDPR makes its unique contribution to cyberspace security;
- Good news for all who specialize in process management: achieving GDPR compliance is almost impossible without mature and competent management of the organization’s business processes.
On IT market the introduction of new regulation in ePrivacy attracted many IT companies that somehow felt ready to help affected organizations. Since 2017 a great deal of IT solutions that solve separate related tasks simply overwhelmed the market.
This market movement occurred to have less value than expected, by evident reasons.
- It is useless to apply ‘out of the shelf’ solution, it doesn’t work at all. Bringing the business into line with GDPR requirements is a complex and lasting process. Moreover, after achieving at the certain moment a necessary level of compliance an organization needs to continue some of its efforts permanently.
- A separate piece of software giving one big picture of compliance state is not useful while it is not pumped up with various specific data representing processes and technological systems. Obtaining this data is definitely a non-trivial task.
- We see a lot of products that solve separate tasks in GDPR compliance field. But the fact is that organizations do not need partial automation. They are looking for a complete solution and ready to pay for such a completeness. When they obtain several pieces of the whole solution, obviously, they have to assemble this puzzle.
Of course, competent system solutions appear on the market based on in-depth expertise in the field as knowledge is gaining in real projects. Market analysis in this area is beyond the scope of this publication.
Innovation Development HUB advice
At the starting point it is necessary to take into account which privacy protection mechanisms have already been implemented earlier.
And during the project some key points require special attention:
- Development of personal data processing policy and implementation of processes that provide compliance with GDPR requirements. We need solid and systemic personal data processing policy correctly established in the organizations. And we need to keep focus on all the processes affected by GDPR requirements, i.e. consent management, incident management, access management, backups, etc. Also, introduction of DPO position in the organizational structure is very important.
- Permanent legal support of consent management. It’s the case when the legal service of the organization should be constantly aware of some nuances about how the IT systems of the organization work and how interaction between the organization and the owners of personal data is going on. Consent management processes is a place where GDPR compliance begins, as well as lawsuits and possible fines. It is encouraging that the market has already made the greatest efforts to standardize and create best practices.
- Systematic work on improving of information security management system in the context of ISO 27000 series standards. If the organization has not yet implemented information security management system this way it is recommended to do this ASAP. One of the nuances here is creation of correct data classification.
- Organization of personal data monitoring. For all those organizations that process personal data systematically it is highly desirable to build an effective monitoring system. In other words, it is necessary to automate control of the parameters whether GDPR requirements are met.
- Data de-personalization and control of the organization’s borders of responsibilities. According to GDPR the main way how to comply is to “de-personalize” personal data inside the organization, i.e. to convert data in such way that it cannot be associated to real person. Moreover, the organization should guarantee keeping personal data protected exactly to its borders. Encryption and other techniques of de-personalization must be used to perform this key task in automation of GDPR compliance controls.
These recommendations are important but not enough, of course. In real projects we can meet a lot of nuances and specific issues. We hope Innovation Development HUB competence will be a good assistance in your GDPR-related projects. Learn more…
Some interesting links
We can easily find a huge amount of information related to GDPR. This is small batch of links that touch the most fundamental issues raised in the article.