August 12, 2020 By Preeti Bhisikar 5 min read

The General Data Protection Regulation (GDPR) marked its two-year anniversary in May 2020 as one of the “toughest privacy and security” regulations, according to the European Union. GDPR has triggered a global movement of maturing privacy and data protection laws with stricter requirements.

Meanwhile, the global COVID-19 pandemic is affecting day-to-day reality. While organizations were already working on GDPR compliance, COVID-19 is making its adoption more urgent.

We are now in the transitional year of the GDPR adoption journey, with the primary focus on demonstrating compliance. As per the enforcement timeline, 2020 is the year to report on the implementation of the GDPR.

The EU issued a two-year review of GDPR on June 24, 2020. The report details the EU commission’s work on the international dimension of privacy reinforcement by strengthening cooperation between European and international regulators to develop elements of convergence between different privacy systems.

Gartner has predicted that by 2023, 65% of the world’s population will have its personal information covered under tough privacy regulations, up from 10% currently. The high-tech research firm estimates over 60 jurisdictions have enacted or proposed strong privacy and data protection laws since 2018.

How Does the Pandemic Impact GDPR?

The European Data Protection Board (EDPB) has been periodically releasing statements about GDPR applicability to the outbreak of the global pandemic. The pandemic has pushed enterprises and organizations of all sizes to modernize their IT infrastructures to accommodate the changing business landscape. COVID-19 circumstances demand organizations to consider intensifying privacy initiatives and preparing for enforcement. This is driving organizations to re-think and transform their traditional privacy management programs.

The EDPB has issued guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The board tries to strike a balance between data privacy and the need for technology to help fight COVID-19. It stresses the GDPR principles of effectiveness, necessity and proportionality to guide any COVID-19 measure adopted that involves the processing of personal data.

How Can Organizations Reinforce Privacy?

The compliance responsibility for regulations like GDPR does not just lie with organizations, employees and customers. It includes everyone as we cope with many other pressing challenges during the COVID-19 pandemic. To strengthen regulation enforcement preparedness, organizations can take a systemic approach to reinforcing privacy in the changing business landscape and emphasize building a privacy culture.

Delivery Teams’ Key Challenges

In medium-sized to large enterprises, the standard delivery lifecycle undergoes five key phases: initiate, plan, design, implement and deploy. Most delivery teams struggle to align and fit  compliance elements into the standard delivery lifecycle phases. Here are four shortcomings that affect the compliance journey in the delivery lifecycle:

  • Lack of awareness and training on GDPR Technical and Organizational Measures (TOMs).
  • Lack of GDPR solution guidelines.
  • Lack of understanding of the TOM implementation process.
  • Lack of awareness of organizational compliance validation approaches.

There are several key questions about GDPR compliance which delivery teams should consider. Where do you start on the GDPR compliance journey? What GDPR TOM controls apply to project delivery and how can your team implement them? What are the solution design guidelines for applicable GDPR TOMs? And, what GDPR compliance evidence do you need to show?

Initial concern on the first anniversary (May 2019) of GDPR has faded. The second anniversary (May 2020) is the beginning of the enforcement wave. Delivery teams play a key role in that enforcement. To answer the above questions, let us first understand the compliance elements across the people, process and technology pillars and view the compliance model through a delivery team lens.

Understand GDPR Compliance Elements

How can you map the compliance elements in the key pillars of an organization?

That question was a focus in the first year of GDPR’s implementation. By now, most organizations should have mapped the compliance elements across their people, process and technology pillars and developed a map of the GDPR compliance elements. Here is a sample:

Fig-1: GDPR compliance elements (Source: IBM)

Once we have a view of the compliance elements, the next step is to build a practical framework from a delivery perspective.

Operationalize the GDPR Compliance Framework

The GDPR compliance model hooks the elements of people, process and technology into the delivery lifecycle phases. By doing this, it addresses delivery teams’ concerns about achieving and showing GDPR compliance. It provides the guidelines for the inclusion of GDPR TOMs in a project lifecycle. Below is a sample compliance model that demonstrates how a client can integrate the compliance elements into the delivery lifecycle phases. At the top of the model is the governance layer that ensures executive involvement, defined policies, compliance, risk management, metrics and reporting.

Fig-2: GDPR compliance framework model (Source: IBM)

A successful GDPR compliance program requires the team to examine delivery barriers to TOM implementation. Additionally, they must show compliance and foster a ‘privacy culture’ in the delivery lifecycle. Below are the key benefits that organizations could achieve with a robust compliance model:

  • Executive Commitment and Action. Executive leadership can steer successful implementation across the delivery lifecycle as well as govern and track GDPR compliance.
  • Clear Roles and Responsibilities. The model helps in understanding the clear roles and responsibilities for stakeholders and decision-makers in the delivery lifecycle.
  • Formalized Process Documentation. Defined processes and guidelines help enable the team to add value, provide quality, deliver with speed and demonstrate compliance.
  • GDPR Control Assessments: Delivery teams can get an understanding of their compliance journey at any stage of the delivery lifecycle and work on continuous improvement.
  • Culture of Data Privacy in the Organization’s DNA: The model helps foster a privacy culture in the delivery lifecycle and helps build clients’ trust to become a key differentiator.

To help optimize the benefits of the compliance framework, privacy practitioners could look to reduce administrative burdens from manual workloads to support speed and agility in the delivery lifecycle.

Uses of Privacy-Enhancing Technology

Statistics from the introduction of GDPR in 2018 indicate human error has been a root cause of many data breaches. According to the 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, human error was the source of 24% of all data breaches. Human error can impact the success of even the strongest security strategies, such as those employed by healthcare organizations that collect highly sensitive personal information.

So, what’s the best way to prevent data breaches due to human error? It might be time to explore data-driven solutions for making the compliance journey easier.

According to Gartner, more than 40% of privacy compliance technology will rely on artificial intelligence (AI) by 2023, up from 5% currently. AI-powered solutions can help by reducing the inherent risks of human error as well as maintaining greater control over GDPR compliance enforcement. They also address the concerns of meeting privacy demands with speed and restoring customer trust.

Evolving Privacy Management Programs

Privacy engineering is an emerging discipline that has come to the forefront in recent years. It requires suitable security engineering expertise to be deployed. GDPR has set the requirements as per Art. 25 GDPR “Data protection by design and by default” for acceptable levels of privacy.

Going forward, enterprises can take stock of their compliance journey and focus on building privacy levels. These levels should cover standardizing compliance operations from a delivery standpoint and exploring privacy-enhancing technologies. These technologies, along with a privacy-by-design approach, can be hooked into the organization’s privacy management programs to build trust.

Today, while the world is preoccupied with responding to the COVID-19 pandemic, it will be worthwhile to watch how privacy management programs evolve in response.

COVID-19 has changed our lives with new work styles, new data privacy issues and new controls. Now, it’s time to rethink data protection and privacy programs and re-establish compliance elements across the delivery lifecycle to create a safer digital world before the next crisis unfolds.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today