Client: Arcadia Data.

First Published on Information Management, May 23 2018.

Facebook’s domination of headlines lately has crystallized the importance of meeting compliance when it comes to data, particularly personal data.

It’s no surprise that a large company with global reach is being held under such scrutiny. Europe has long had some form for data protection regulation, and with the adoption of the General Data Protection Regulation (GDPR) in 2016, organizations with any ties to European customers have been forced to amend their privacy policies.

One of the provisions set forth under GDPR is the appointment of a data protection officer (DPO). Public companies, companies whose core competencies include “regular and systematic monitoring of data subjects on a large scale,” and companies that process on a large scale personal information, such as race, religion, or biometric information or data pertaining to criminal convictions must appoint a DPO.

These days, nearly every company is a data company, so it behooves organizations of any shape or form to pay attention to these requirements.

Proactivity Is Key to Effective Compliance

The DPO is effectively the data steward of an organization. As the data steward, the DPO needs to be proactive in understanding the overlapping relationships used to control and process that data. Very few organizations will be able to cover every aspect of GDPR by May 25, 2018, and regulatory enforcement may not be consistent across jurisdictions.

The DPO needs to help the organization figure out how to mitigate the biggest risks, which could include an aggressive regulatory body that wants to teach the industry a lesson, and class action lawsuits from disenfranchised customers or disgruntled former employees.

To make matters more complex, the issue at hand may have originated from one of your data processors, not from your organization. Failures to meet GDPR requirements can straddle organizations with fines up to up to €20 million, or four percent of the worldwide annual revenue, according to the most egregious infringement.

Your DPO (or perhaps a team of DPOs) must be proactive and able to adapt quickly and learn new skills to orchestrate a robust and defensible process that incorporates a broad scope of disciplines, including business processes, technology, compliance, audits, vendor management, and the respective mix of personalities and politics.

To demonstrate robust and defensible processes, DPOs must proactively master the following data relationships: 

1. Data Processors: GDPR distinguishes data processors from data controllers. As an example, a financial institution is the controller of the data. It collects and determines what will be done with the data. The processors are third parties that process that data for purposes such as payments, mailing financial statements,, or generating a prospectus. Due diligence on every third party is required and can include physical site visits and cybersecurity reviews. Most importantly, DPOs may need to oversee the rewriting or revising of contracts to firmly lay out the purpose of data use, liability, and recourse. This becomes more challenging if the processor subcontracts work to other parties around the globe. The DPO needs to determine the acceptability of the subcontractors and ensure that contractual obligations apply to them too. Any breach down the line could rear its ugly head upward.

2. Customers: They are your most important asset, and their data is also your biggest risk. The DPO should have difficult, transparent conversations with the business, especially with those employees who utilize large amounts data for analytics. Decisions need to be made as to when that data is no longer useful to the business, and then the business should dispose of the information after all regulated data retention periods have expired. If former EU customers are part of an email campaign that monitors whether the the person opens the email, the organization is being exposed to unnecessary risk. 

3. Employees: There are many areas of organizations that are treasure troves of personal data. For example, the Human Resources department holds information about salaries, health insurance, job reviews, etc. and employees know the intricacies of the organization, including overlooked sources of potential data breaches. These breaches could include personal information left at the copy machine, or client list information accessed by a shared drive. The risk is that disgruntled former employees know how to leverage this information to expose a weak link in your data privacy chain or something is accidentally disseminated beyond the company walls. This kind of risk identification could be encouraged by gamifying the process and rewarding those who spot the most potential breaches.

Today, organizations are heads down, focused on meeting a May 25 deadline with the goal of mitigating the largest risk factors within their organizations. They are using the technology they know now, but they realize that not every aspect of GDPR will be met. 
Showing a robust and defensible process with a roadmap for improvement should alleviate some regulatory pressure and provide a foundation from which to respond to potential litigation.

As the GDPR process matures, actions across regulatory jurisdictions align, and the role of the DPO evolves, new and sophisticated solutions will arise that can improve business outcomes.

The adoption of modern big data platforms like data lakes will mitigate the inherent risks of continually moving data, and will also provide the foundation to leverage technologies like artificial intelligence and visual analytics. This will provide DPOs and their teams a comprehensive front end that demonstrates a robust and defensible process to their board and regulators.