It’s a hoary old cliché that the IT department exists in a world of its own, and it’s also all too easy not to have a clear sense of whether the organisation is wagging the IT tail of the dog, or vice versa.
In the real world, the IT department, keeping people’s laptops and mobiles working, can seem a very long way from the C-suite, but if there’s one truism about GDPR, it’s that, not only can this very new and detailed approach to data protection bring IT and the rest of the organisation closer together, but the requirements of GDPR demand that the organisation and the technology must come closer together, themselves.
Jon Baines, chair of the UK’s National Association of Data Protection and Freedom of Information Officers (NADPO), says: “I think if IT and business are going to come together as a result of GDPR, it will be through a recognition that data protection is, at its core, not about systems, not about bits and bytes, but about people.
“The current data protection framework is based on European law that is over 20 years old, and which has focused on compliance and sometimes encouraged a tick-box approach. GDPR will make everyone think more about embedding a culture which respects and gives effect to people’s privacy and autonomy rights.”
Arriving at compliance with GDPR, where technology will be deployed with the specific aim of putting the interests of people at the heart of an organisation’s work, is a two-pronged process: there are a number of steps to take to make sure the technology can deliver compliance, and a number of steps the organisation itself must also take.
Tim Turner, a consultant in data protection who focuses on training, points out that there are “a range of things that are purely technical; purely procedural things that have to be done: it’s a huge job to catch up on if you haven’t already started”.
One key technology task, says Baines, is “mapping existing data flows – where and how and why are they processing personal data. Is it necessary to do so? Are they being open and transparent – and fair – about what they’re doing? Do the people whose information is being processed understand why and are they given an appropriate opportunity to object or say no?”
Another important technological consideration is encryption: the business will have to decide which encryption technologies to deploy, managing the trade-off between how quickly data can be accessed and manipulated against the processing overhead of encryption. On top of that, there’s the conversation around how to manage the encryption of active data and stored data: where should that happen? Might that mean, for example, an upgrade to server technology so that decryption is handled in the client application rather than in the database? Or choosing a new cloud provider who can help you manage that seamlessly?
Baines says: “Encryption will in most cases be a given, but pseudonymisation techniques are also recognised in law as a risk-mitigator.”
Making sure that your customers, partners, clients, employees, suppliers – all your data subjects, in short – can exercise their rights is also a technology challenge. From ensuring that consent is recorded appropriately for each instance to being sure that you can give individuals access to their data and that, if necessary, you can rectify and securely delete it if asked to do so, businesses must have reliable, secure and robust technologies in place.
These technologies have to be built into your business’s processes, and this is where the crossover into how your organisation works with technology comes into play. “This is potentially very significant for some categories of business,” points out Baines. “They need to prepare for the cost of this. For example, what if there is a targeted campaign by a large group of disgruntled customers” who want to exercise their right to data portability?
Your business will also need the organisational processes in place to ensure you know not only what your data flows are, but what you’ve got in the cloud, adds Tim Turner. And, he says, you won’t be able to “get away with not knowing what’s contracted out, to whom, and where. It won’t be any defence if you say ‘I relied on my provider’ and couldn’t answer for everything yourself.”
Related article: The experts' view: 4 top tips to achieving GDPR compliance
Other changes required by GDPR are demands on the business rather than on the technology, such as understanding if you need to appoint a data protection officer. Judith Vieberink, an attorney for Netherlands-based First Lawyers, points out that that that role isn’t like any other employee: “A DPO has to be independent with regard to the boardroom and with regard to the auditor.”
She adds: “You could have a DPO within your company, but if you do, you have to think about how you maintain their independence.” Just one thing your organisation has to consider might be whether it makes more sense to use a consultancy for DPO duties rather than having one in-house.
GDPR means a huge philosophical shift for businesses: ask any expert what the key change is and they will tell you that it puts data protection right at the heart of your responsibilities – and that means making sure your staff know what their responsibilities are if they handle or process personal data. This means that by the time GDPR comes into force next May, data controllers and processors in your organisation will have to have had adequate training not only with any new technology you’re putting in place, but also on their duties and responsibilities.
Organisations in the UK have a particular challenge with data transfers, too: despite the fact that the UK government has affirmed that GDPR will be implemented, once Britain leaves the EU in 2019, “we are outside the tent,” notes Jon Baines. “We will need EU approval to get back in. Businesses who rely on international transfers will already be weighing up options for the future, but in a worst-case scenario, they might be faced with onerous, restrictive and bureaucratic systems to move data between locations.”
GDPR is Data Protection v2.0, building on and harmonising requirements and creating a consistent framework that applies not only across the EU, but to non-EU businesses that handle the data of EU citizens. It’s the biggest shift in how businesses think about data for decades, and the smart businesses are already more than aware of the huge changes, both technological and organisational, the framework demands.
And as well as being a challenge, GDPR is an opportunity to create a climate in your business that breaks down old barriers between IT and C-suite to build a cohesive, dynamic partnership at the heart of your organisation.