The General Data Protection Regulation (GDPR) marked its two-year anniversary in May 2020 as one of the “toughest privacy and security” regulations, according to the European Union. GDPR has triggered a global movement of maturing privacy and data protection laws with stricter requirements.

Meanwhile, the global COVID-19 pandemic is affecting day-to-day reality. While organizations were already working on GDPR compliance, COVID-19 is making its adoption more urgent.

We are now in the transitional year of the GDPR adoption journey, with the primary focus on demonstrating compliance. As per the enforcement timeline, 2020 is the year to report on the implementation of the GDPR.

The EU issued a two-year review of GDPR on June 24, 2020. The report details the EU commission’s work on the international dimension of privacy reinforcement by strengthening cooperation between European and international regulators to develop elements of convergence between different privacy systems.

Gartner has predicted that by 2023, 65% of the world’s population will have its personal information covered under tough privacy regulations, up from 10% currently. The high-tech research firm estimates over 60 jurisdictions have enacted or proposed strong privacy and data protection laws since 2018.

How Does the Pandemic Impact GDPR?

The European Data Protection Board (EDPB) has been periodically releasing statements about GDPR applicability to the outbreak of the global pandemic. The pandemic has pushed enterprises and organizations of all sizes to modernize their IT infrastructures to accommodate the changing business landscape. COVID-19 circumstances demand organizations to consider intensifying privacy initiatives and preparing for enforcement. This is driving organizations to re-think and transform their traditional privacy management programs.

The EDPB has issued guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The board tries to strike a balance between data privacy and the need for technology to help fight COVID-19. It stresses the GDPR principles of effectiveness, necessity and proportionality to guide any COVID-19 measure adopted that involves the processing of personal data.

How Can Organizations Reinforce Privacy?

The compliance responsibility for regulations like GDPR does not just lie with organizations, employees and customers. It includes everyone as we cope with many other pressing challenges during the COVID-19 pandemic. To strengthen regulation enforcement preparedness, organizations can take a systemic approach to reinforcing privacy in the changing business landscape and emphasize building a privacy culture.

Delivery Teams’ Key Challenges

In medium-sized to large enterprises, the standard delivery lifecycle undergoes five key phases: initiate, plan, design, implement and deploy. Most delivery teams struggle to align and fit  compliance elements into the standard delivery lifecycle phases. Here are four shortcomings that affect the compliance journey in the delivery lifecycle:

  • Lack of awareness and training on GDPR Technical and Organizational Measures (TOMs).
  • Lack of GDPR solution guidelines.
  • Lack of understanding of the TOM implementation process.
  • Lack of awareness of organizational compliance validation approaches.

There are several key questions about GDPR compliance which delivery teams should consider. Where do you start on the GDPR compliance journey? What GDPR TOM controls apply to project delivery and how can your team implement them? What are the solution design guidelines for applicable GDPR TOMs? And, what GDPR compliance evidence do you need to show?

Initial concern on the first anniversary (May 2019) of GDPR has faded. The second anniversary (May 2020) is the beginning of the enforcement wave. Delivery teams play a key role in that enforcement. To answer the above questions, let us first understand the compliance elements across the people, process and technology pillars and view the compliance model through a delivery team lens.

Understand GDPR Compliance Elements

How can you map the compliance elements in the key pillars of an organization?

That question was a focus in the first year of GDPR’s implementation. By now, most organizations should have mapped the compliance elements across their people, process and technology pillars and developed a map of the GDPR compliance elements. Here is a sample:

Fig-1: GDPR compliance elements (Source: IBM)

Once we have a view of the compliance elements, the next step is to build a practical framework from a delivery perspective.

Operationalize the GDPR Compliance Framework

The GDPR compliance model hooks the elements of people, process and technology into the delivery lifecycle phases. By doing this, it addresses delivery teams’ concerns about achieving and showing GDPR compliance. It provides the guidelines for the inclusion of GDPR TOMs in a project lifecycle. Below is a sample compliance model that demonstrates how a client can integrate the compliance elements into the delivery lifecycle phases. At the top of the model is the governance layer that ensures executive involvement, defined policies, compliance, risk management, metrics and reporting.

Fig-2: GDPR compliance framework model (Source: IBM)

A successful GDPR compliance program requires the team to examine delivery barriers to TOM implementation. Additionally, they must show compliance and foster a ‘privacy culture’ in the delivery lifecycle. Below are the key benefits that organizations could achieve with a robust compliance model:

  • Executive Commitment and Action. Executive leadership can steer successful implementation across the delivery lifecycle as well as govern and track GDPR compliance.
  • Clear Roles and Responsibilities. The model helps in understanding the clear roles and responsibilities for stakeholders and decision-makers in the delivery lifecycle.
  • Formalized Process Documentation. Defined processes and guidelines help enable the team to add value, provide quality, deliver with speed and demonstrate compliance.
  • GDPR Control Assessments: Delivery teams can get an understanding of their compliance journey at any stage of the delivery lifecycle and work on continuous improvement.
  • Culture of Data Privacy in the Organization’s DNA: The model helps foster a privacy culture in the delivery lifecycle and helps build clients’ trust to become a key differentiator.

To help optimize the benefits of the compliance framework, privacy practitioners could look to reduce administrative burdens from manual workloads to support speed and agility in the delivery lifecycle.

Uses of Privacy-Enhancing Technology

Statistics from the introduction of GDPR in 2018 indicate human error has been a root cause of many data breaches. According to the 2019 Cost of a Data Breach Report conducted by the Ponemon Institute and sponsored by IBM Security, human error was the source of 24% of all data breaches. Human error can impact the success of even the strongest security strategies, such as those employed by healthcare organizations that collect highly sensitive personal information.

So, what’s the best way to prevent data breaches due to human error? It might be time to explore data-driven solutions for making the compliance journey easier.

According to Gartner, more than 40% of privacy compliance technology will rely on artificial intelligence (AI) by 2023, up from 5% currently. AI-powered solutions can help by reducing the inherent risks of human error as well as maintaining greater control over GDPR compliance enforcement. They also address the concerns of meeting privacy demands with speed and restoring customer trust.

Evolving Privacy Management Programs

Privacy engineering is an emerging discipline that has come to the forefront in recent years. It requires suitable security engineering expertise to be deployed. GDPR has set the requirements as per Art. 25 GDPR “Data protection by design and by default” for acceptable levels of privacy.

Going forward, enterprises can take stock of their compliance journey and focus on building privacy levels. These levels should cover standardizing compliance operations from a delivery standpoint and exploring privacy-enhancing technologies. These technologies, along with a privacy-by-design approach, can be hooked into the organization’s privacy management programs to build trust.

Today, while the world is preoccupied with responding to the COVID-19 pandemic, it will be worthwhile to watch how privacy management programs evolve in response.

COVID-19 has changed our lives with new work styles, new data privacy issues and new controls. Now, it’s time to rethink data protection and privacy programs and re-establish compliance elements across the delivery lifecycle to create a safer digital world before the next crisis unfolds.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…