Recently, we hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.
- Key GDPR challenges
When asked what their biggest challenge is relating to GDPR, various participants talked about their concerns surrounding telemarketing, as they often don’t ask for permission when contacting clients. Other concerns included understanding data erasure as well as data mapping with legacy systems and hard copy files. They said handling historical records and legacy applications can be challenging. Participants said they were also unsure how to implement GDPR locally and follow this through with overseas parent companies. They also wondered how to ensure partner companies are adhering to the legislation. How to interpret and understand risk was another concern as the challenge of establishing the legal basis for processing personal data.
Many organisations don’t know why they have been amassing personal data for many years, creating ‘data lakes’ that are now a breach under Article 5. Organisations are concerned about erasing personal data because it is more complicated than they realised, they said, and many are uncertain how to ensure it is properly destroyed.
- Why do we need GDPR?
GDPR represents a major development in EU data protection law as data subjects’ rights are strengthened across the board, with a natural toughening of obligations for personal data. We talked about how GDPR puts a framework around the world’s biggest, single, digital market, which has developed enormously since the original Data Protection Act 1998. As we have embraced digital, consumers have freedom around what products and services they use, but that freedom makes it hard for organisations to do business across one digital market. Many changes have been enabled by advances in technology, hence it has taken four years for GDPR to be agreed by the European Commission, European Parliament, and Council of Ministers.
GDPR is focused on personal data processing and providing greater accountability, transparency, and control. Under Article 13, a data privacy notice is given directly to the data subject and under Article 14, the data controller must give the data subject a data privacy notice. The data privacy notice is the cornerstone of transparency and accountability in the GDPR and if an organisation is going to process someone’s data, they must pay particular attention to this.
- The GDPR transition journey
The group discussed how organisations tackle GDPR. A typical GDPR transition journey starts with an assessment of the existing organisational landscape. The assessment involves identifying compliance and very high-risk areas of processing personal data. Organisations should then define a future state and work toward designing the people, processes and technology components that will mitigate risk. Technology can be used to effectively reduce risk in processing personal data and enable organisations to manage and continuously improve risk mitigation and data protection by design and by default (Article 25, GDPR).
- GDPR in a box
Full compliance with Article 25, which is all about data protection by design and default will mean an organisation is almost 100% compliant. One participant talked about Article 25 being “GDPR in a box.”
GDPR is a principles-based regulation; it doesn’t spell out in detail what organisations need to do to reduce high risk to residual risk. If an organisation has a personal data breach, it has to provide a narrative that shows the ICO and regulator(s) it has taken measures to mitigate risk through appropriate technical and organisational measures. This led the conversation onto the role of the Data Protection Officer (DPO) and how this role can help by making sure the organisation is on the right path. Also, if there is a personal data breach, the supervisory authority may point to the fact that the organisation didn’t have a DPO as an aggravating factor.
- Burden or benefit?
So, is GDPR a burden or are there benefits? Will organisations be able to do more with personal data by building a personal sense of trust with their customers? Or are they putting GDPR in place to make sure they don’t get fined or sanctioned? The consensus was that, right now, about the greatest concern is not getting fined, with one participant commenting: “GDPR is so vast and so woolly, there is a fear of tripping yourself up, so we are focused on having the basics in place so we don’t get fined. This is first base and we’ll think about the next level after that.”
We concluded the roundtable by asking who felt they were GDPR ready. One participant was confident their organisation was 90% ready. Another claimed to have only started its GDPR journey yesterday. When thinking about what they would implement immediately, participants talked about embedding GDPR into their entire product-management lifecycle, aligning technology to different Articles and removing “data lakes” by seriously looking at the retention of data and its deletion.