Looking beyond simplistic clichés: A real-life take on GDPR for CIOs
Various clichés bouncing about on social media are simplistic and must be challenged
Over the past 6 months, social media and the Internet have been inundated with GDPR-related material. Law firms, consultancies – large and small – and even tech firms have all jumped on what they perceive to be a lucrative band wagon. And indeed, the regulation has the potential to be a catalyst to drive real action around security and privacy.
But at the same time, it is key to put things in perspective and look beyond a few very simplistic clichés.
GDPR and BREXIT
The two topics obviously relate to the European Union and are easily mixed up by those looking for cheap headlines, but in practice they have little in common.
UK firms controlling or processing personal data related to citizens of other EU member states will be expected to comply with GDPR regardless of Brexit (like US, Chinese or Brazilian firms for example).
In addition, at time of writing and with all due caveats:
- The UK is still expected to be a member of the EU on 25 May 2018.
- It is expected that all pre-existing legislation and regulation would first transfer into UK law post Brexit before being re-examined and amended if and when required.
- The current UK government and the current UK ICO have indicated their intention to enact or support similar legislation, even if there may be potential areas of conflict between the GDPR and the UK legislation such as the Investigatory Powers Act that might lead to legal or parliamentary scrutiny.
There may be an amount of cynicism amongst business communities around “yet another” piece of regulation, and some truly difficult aspects to enforce (e.g. the “right to be forgotten”), but GDPR remains a genuine attempt to enhance privacy protection for citizens and consumers, and it looks like it is here to stay irrespective of Brexit.
You must be compliant by 25th May 2018
Of course, this is true to a large extent, but things are not that simple.
First of all, compliant with what? … The language used in the Regulation is far from being unambiguous, and there is no way of knowing how regulators will interpret it (e.g. “major breach” or “appropriate measures”), either on a case by case or on a country by country basis. Such interpretations may be inconsistent and in turn may be challenged in court.
What is clear is that liabilities will change overnight on 25th May 2018, with fines that could reach tens or hundreds of millions for large firms. However, the actual level at which the first real fines will be set cannot be determined, and is also highly likely to be challenged, given the amounts that might be involved.
So it has to be expected that all this will only be resolved through court cases and that it will take years for the dust to settle.
Fundamentally, it is wrong to look at GDPR compliance as a “tick-in-the-box” exercise, to be completed by 25 May 2018.
This is about remaining in compliance thereafter, in a context where the legislation could well become tighter in the future or evolve country by country.
Where maturity is relatively high already around privacy and security, firms might just treat this an alignment exercise; but where maturity is low, it has to be seen as a fundamental transformational challenge.
Frankly, firms that are genuinely starting from scratch today on this matter have a serious problem on their hands that might take considerably more than 12 months to resolve.
They must think in terms of creating true transformational dynamics around security and privacy and look back at the roadblocks that have prevented them from making progress in the past.
After all, many of the aspects contained in GDPR are not new (the UK Data Protection Act goes back to 1998), but it will challenge corporate governance practices to get things moving and will force firms to look across silos to drive change.
Evidence of real transformational dynamics and credibility of management backing are probably more important than raw compliance for the short to mid-term, until the dust settles on all legal matters.
The first thing to do is to appoint a DPO
Again, things are not that simple. First of all, many firms already have a DPO, and some will not need one (see GDPR article 37).
But fundamentally, just appointing someone to shift the problem is not likely to help, as accountability on these matters will continue to lie with the Board and executive management.
What you need is the right DPO. The right DPO to address the real challenges you face around security and privacy.
And that has to start by an assessment of your real maturity around those matters, and the nature of the journey you will have to make to reach a degree of GDPR compliance.
The role of the DPO will be to build a clear plan towards compliance and orchestrate delivery of what could be a complex package of measures. This is a context where roles and responsibilities have to be clear for all stakeholders, and where the DPO – as an individual – will require the right amount of personal gravitas and credibility in most firms in order to get things done.
In addition, GDPR compliance cannot be regarded just as a legal matter, or just as a security matter, or just as a technology matter … it has to encompass all those aspects, and the DPO will have to be credible in all those areas.
So it could be a genuinely difficult position to fill. In large firms, it is key to appoint an executive with the right degree of seniority and experience across the areas where change is required, and ensure that the role is supported by a team of experts (internal and external). In small firms, there may be a single person able to meet all those criteria, but equally it may be sensible to use an external service provider (DPO as a Service), something the Regulation allows.
The GDPR is the strongest lever in years to drive real action around data privacy and security
It brings a real risk of significant material impact on companies and their Boards of Directors
- But there is no magic technology solution
- Do not rush into appointing a DPO to shift the problem
- First, analyse your maturity posture with regards to data privacy and security
- Quite a lot of this is not new and you should be already there on many points
- Where maturity is low, look back at the roadblocks that have prevented progress in the past, and build the right governance model to remove those
- THEN appoint the right DPO to assemble a clear action plan and drive it, so that you have a defendable position irrespective of your initial maturity posture
Evidence of real transformational dynamics and credibility of management backing are key for the short- to mid-term until the dust settles on all legal and regulatory matters
Corix Partners, together with DA Resilience, Next World Capital, Wise Partners in Paris and a number of experts, have analysed the impact the GDPR can have around privacy and security, and is offering a real-life perspective in a whitepaper which can be downloaded using this link: GDPR: A Catalyst to Drive Real Action around Privacy and Security