The General Data Protection Regulation (GDPR) was an important step in forcing businesses to think differently about their data while giving consumers some control over their personal data as well. As GDPR became front of mind for everyone, the method by which businesses attempted the journey to compliance varied greatly. Now that the deadline has passed, we’ve been able to take a retrospective look into what it takes to be a successful GDPR solution and found that it really boils down to five key factors: accountability, collaboration, a holistic approach, sustainability, and trustworthiness.
One of the biggest changes introduced by the GDPR is that it explicitly requires accountability.
Therefore, it is an important prerequisite in becoming GDPR compliant. It requires businesses to take the necessary technical and organizational measures to comply and to demonstrate such compliance with the principles and obligations arising from the regulation.
Privacy by Design is an important principle when it comes to achieving accountability. Essentially, Privacy by Design is a concept intended to implement the first line of defense for data privacy. To achieve this, it requires the controller to organize its people, processes, data, and technology in such a way that data privacy becomes a default property in its everyday activities. Evidently, this requires the organization to have thorough insight into its organization, which can only be achieved through a properly documented process register.
According to the European Data Protection Supervisor, top management is accountable for GDPR compliance, however, to make this possible you need to instill responsibility at all levels of the organization. For instance, the process owners will typically assume responsibility for generating the process register, while the DPO and the risk and IT departments will provide consultation. In addition, it’s a best practice to inform the relevant stakeholders. In order to initiate such accountability, you need to specify and implement the appropriate internal policies and standards and specify roles and responsibilities at appropriate levels within the business.
Some of the important roles which you will have to specify are:
- Owner: In addition to the process and technology owners, it is highly recommended to assign risk owners. Where top management will be responsible to determine the risk appetite for your sensitive data, business-critical processes, and technology assets, the risk owners will be responsible to manage the risks and controls and to monitor whether the risk level remains within the risk appetite set by top management.
- Steward: Where the Owner is responsible for many activities needed to be compliant to the GDPR, it will typically be the Steward that will do the actual work.
- DPO: The DPO does not need much introduction. Article 39 of the GDPR lists their responsibilities, such as the responsibility to inform and advise the controller, monitor compliance, and act as the point of contact for the data subjects and the supervisor.
Another aspect of accountability is proper risk management. This is where the risk assessment and the Data Protection Impact Assessment (DPIA) come in. Combined, it’s a useful exercise to help identify, assess, and mitigate privacy risks when conducting data processing activities, and as such help organizations to comply with the requirement of data protection by design.
As people join and leave your company, managing accountability will be quite challenging. Collibra simplifies this complexity by allowing you to manage the roles and responsibilities at each level of your organization while providing you with an overview of all the responsibilities per usage.
A successful GDPR implementation largely depends on seamless, strong collaboration throughout your organization. Whether it’s preparation or sustaining compliance, it requires a lot of work across teams, lines of business, entities, time zones, etc. The teams in charge of setting up and maintaining the process register will have to get the information from various different people within the organization, and your DPO has to work together with the business, IT, and management to provide consultation as required by GDPR.
Collaboration is where Collibra excels. Our solution offers a clear and concise method of assigning roles and responsibilities. Workflows, email notifications and task management allow you to assign the work to the correct team while ensuring the right information gets to the right person. Furthermore, comment and rating capabilities allow for fast and accurate feedback.
A Holistic Approach
A key characteristic of risk is its interconnectivity. That is, risks to the data subjects come from an interplay of risk events affecting your people, processes, data, and technology. In order to properly assess the risks, you will have to understand how everything is connected.
The Brexit, and Privacy Shield and need to perform DPIA, and reassess safeguards to quickly find technology assets and processes that have been impacted by this.
The Collibra GDPR solution allows you to relate your people, processes, data, and technology to one another so you can see exactly how your technology is used for your processes, which teams have access to which data, how data flows across borders, and so much more. The resulting transparency allows you to not only understand and trust your processes and the data they use but also to perform risks assessments, third-party assessments, quickly respond to data breaches and manage data subject rights.
Currently, there are two important political uncertainties that might prove the importance of having a holistic view of your business and the risks to its data subjects: the potential suspension of the Privacy Shield and the Brexit.
Following Donald Trump’s executive order, which effectively excludes European citizens from the protection provided by US privacy law, and the Cambridge Analytica case, the European Parliament had given the US until September 1, 2018 to demonstrate compliance with the terms of Privacy Shield, recommending a suspension of the framework if the US cannot attest such compliance.
This would mean that companies that currently transfer European personal data to the US under the Privacy Shield will have to implement safeguards, such as standard contractual clauses and binding corporate rules if they want to continue with those transfers.
The Brexit creates a similar level of uncertainty as it would make the UK a third country. Therefore, transfers of European personal data to the UK would no longer be allowed unless the European Commission deems that the UK provides “adequate” level of personal data protection.
However, this would mean that companies that transfer European personal data to the UK will have to implement the necessary safeguards.
Clearly, if one of the hypothetical cases materializes, companies will need to have a good view of how their data flows and, more specifically, whether European personal data flows to the US or the UK. This will only be possible if your solution provides you with a holistic view of your data flows.
The compliance deadline wasn’t the finish line; complying with data regulations will be a continuous effort for companies as processes change along with the technology and data they use, and the teams that are responsible for them. Therefore, you will have to regularly update your process register and data mapping, revise your risk assessments, DPIAs, and LIAs. Collibra allows you to manage your process and data lifecycles in a governed way, making it easy to stay up to date as your business and data processes evolve and scale.
Finally, a successful GDPR solution is one that allows you to build and maintain trust. If your consumers trust you with their personal data, it’s likely that they will provide you with more data. At the time of writing Facebook lost USD 120 bn in market value following data privacy issues, showing the real impact of trust on a company’s value. But trust isn’t limited to your consumers; if your management can trust the numbers in their reports, they will make more informed decisions; if data scientists can trust the data, they will provide you with better insights. To excel in a world of digitalization and transform your data into dollars, trust is a necessity, which is why every feature of Collibra was created with the purpose of building that trust.
With his experience in financial risk management, Bart understands the value quality data and algorithms can bring to a company.