The General Data Protection Regulation (GDPR) marked its two-year anniversary in May 2020 as one of the “toughest privacy and security” regulations, according to the European Union. GDPR has triggered a global movement of maturing privacy and data protection laws with stricter requirements.
Meanwhile, the global COVID-19 pandemic is affecting day-to-day reality. While organizations were already working on GDPR compliance, COVID-19 is making its adoption more urgent.
We are now in the transitional year of the GDPR adoption journey, with the primary focus on demonstrating compliance. As per the enforcement timeline, 2020 is the year to report on the implementation of the GDPR.
The EU issued a two-year review of GDPR on June 24, 2020. The report details the EU commission’s work on the international dimension of privacy reinforcement by strengthening cooperation between European and international regulators to develop elements of convergence between different privacy systems.
Gartner has predicted that by 2023, 65% of the world’s population will have its personal information covered under tough privacy regulations, up from 10% currently. The high-tech research firm estimates over 60 jurisdictions have enacted or proposed strong privacy and data protection laws since 2018.
How Does the Pandemic Impact GDPR?
The European Data Protection Board (EDPB) has been periodically releasing statements about GDPR applicability to the outbreak of the global pandemic. The pandemic has pushed enterprises and organizations of all sizes to modernize their IT infrastructures to accommodate the changing business landscape. COVID-19 circumstances demand organizations to consider intensifying privacy initiatives and preparing for enforcement. This is driving organizations to re-think and transform their traditional privacy management programs.
The EDPB has issued guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The board tries to strike a balance between data privacy and the need for technology to help fight COVID-19. It stresses the GDPR principles of effectiveness, necessity and proportionality to guide any COVID-19 measure adopted that involves the processing of personal data.
How Can Organizations Reinforce Privacy?
The compliance responsibility for regulations like GDPR does not just lie with organizations, employees and customers. It includes everyone as we cope with many other pressing challenges during the COVID-19 pandemic. To strengthen regulation enforcement preparedness, organizations can take a systemic approach to reinforcing privacy in the changing business landscape and emphasize building a privacy culture.
Delivery Teams’ Key Challenges
In medium-sized to large enterprises, the standard delivery lifecycle undergoes five key phases: initiate, plan, design, implement and deploy. Most delivery teams struggle to align and fit compliance elements into the standard delivery lifecycle phases. Here are four shortcomings that affect the compliance journey in the delivery lifecycle:
- Lack of awareness and training on GDPR Technical and Organizational Measures (TOMs).
- Lack of GDPR solution guidelines.
- Lack of understanding of the TOM implementation process.
- Lack of awareness of organizational compliance validation approaches.
There are several key questions about GDPR compliance which delivery teams should consider. Where do you start on the GDPR compliance journey? What GDPR TOM controls apply to project delivery and how can your team implement them? What are the solution design guidelines for applicable GDPR TOMs? And, what GDPR compliance evidence do you need to show?
Initial concern on the first anniversary (May 2019) of GDPR has faded. The second anniversary (May 2020) is the beginning of the enforcement wave. Delivery teams play a key role in that enforcement. To answer the above questions, let us first understand the compliance elements across the people, process and technology pillars and view the compliance model through a delivery team lens.
Understand GDPR Compliance Elements
How can you map the compliance elements in the key pillars of an organization?
That question was a focus in the first year of GDPR’s implementation. By now, most organizations should have mapped the compliance elements across their people, process and technology pillars and developed a map of the GDPR compliance elements. Here is a sample:
Fig-1: GDPR compliance elements (Source: IBM)
Once we have a view of the compliance elements, the next step is to build a practical framework from a delivery perspective.
Operationalize the GDPR Compliance Framework
The GDPR compliance model hooks the elements of people, process and technology into the delivery lifecycle phases. By doing this, it addresses delivery teams’ concerns about achieving and showing GDPR compliance. It provides the guidelines for the inclusion of GDPR TOMs in a project lifecycle. Below is a sample compliance model that demonstrates how a client can integrate the compliance elements into the delivery lifecycle phases. At the top of the model is the governance layer that ensures executive involvement, defined policies, compliance, risk management, metrics and reporting.
Fig-2: GDPR compliance framework model (Source: IBM)
A successful GDPR compliance program requires the team to examine delivery barriers to TOM implementation. Additionally, they must show compliance and foster a ‘privacy culture’ in the delivery lifecycle. Below are the key benefits that organizations could achieve with a robust compliance model:
- Executive Commitment and Action. Executive leadership can steer successful implementation across the delivery lifecycle as well as govern and track GDPR compliance.
- Clear Roles and Responsibilities. The model helps in understanding the clear roles and responsibilities for stakeholders and decision-makers in the delivery lifecycle.
- Formalized Process Documentation. Defined processes and guidelines help enable the team to add value, provide quality, deliver with speed and demonstrate compliance.
- GDPR Control Assessments: Delivery teams can get an understanding of their compliance journey at any stage of the delivery lifecycle and work on continuous improvement.
- Culture of Data Privacy in the Organization’s DNA: The model helps foster a privacy culture in the delivery lifecycle and helps build clients’ trust to become a key differentiator.
To help optimize the benefits of the compliance framework, privacy practitioners could look to reduce administrative burdens from manual workloads to support speed and agility in the delivery lifecycle.
Uses of Privacy-Enhancing Technology
Statistics from the introduction of GDPR in 2018 indicate human error has been a root cause of many data breaches. According to the 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, human error was the source of 24% of all data breaches. Human error can impact the success of even the strongest security strategies, such as those employed by healthcare organizations that collect highly sensitive personal information.
So, what’s the best way to prevent data breaches due to human error? It might be time to explore data-driven solutions for making the compliance journey easier.
According to Gartner, more than 40% of privacy compliance technology will rely on artificial intelligence (AI) by 2023, up from 5% currently. AI-powered solutions can help by reducing the inherent risks of human error as well as maintaining greater control over GDPR compliance enforcement. They also address the concerns of meeting privacy demands with speed and restoring customer trust.
Evolving Privacy Management Programs
Privacy engineering is an emerging discipline that has come to the forefront in recent years. It requires suitable security engineering expertise to be deployed. GDPR has set the requirements as per Art. 25 GDPR “Data protection by design and by default” for acceptable levels of privacy.
Going forward, enterprises can take stock of their compliance journey and focus on building privacy levels. These levels should cover standardizing compliance operations from a delivery standpoint and exploring privacy-enhancing technologies. These technologies, along with a privacy-by-design approach, can be hooked into the organization’s privacy management programs to build trust.
Today, while the world is preoccupied with responding to the COVID-19 pandemic, it will be worthwhile to watch how privacy management programs evolve in response.
COVID-19 has changed our lives with new work styles, new data privacy issues and new controls. Now, it’s time to rethink data protection and privacy programs and re-establish compliance elements across the delivery lifecycle to create a safer digital world before the next crisis unfolds.
Managing Consultant, IBM Security