ABBL, May 2019
GDPR – What we have learned since May 25th
General Data Protection Regulation (GDPR) entered into force in May 2018 and still remains, unsurprisingly so, a hot topic in every company and management agenda. Since its inception, we have witnessed an evolution among key players, for large and small entities (banking sector oriented), common trends and roadblocks as well as forecasts for 2019 and the vision for coming years. In order to leverage on these lessons learned, we have got as input the yearly report developed by IAPP and EY (IAPP-EY Annual Privacy Governance Report 2018), which has a worldwide coverage, as well as answers as part of polling questions received at EY events where main local players were present.
Overall the regulation was somewhat well supported and communicated in Europe since only 3% of the organizations did not know whether or not they fall within GDPR’s scope (IAPP-EY, 2018). Furthermore, according to the same study, 44% of the respondents considered themselves compliant with the new regulation. The GDPR dynamic has taken a good start, however, the ratio of compliant organizations is not expected to exceed the upper limit of 89% (IAPP-EY, 2018). This threshold raises questions among the privacy sector professionals. Indeed, among every organization that falls within GDPR scope, how is it that only 11% believe they will not fully reach compliance?
Major challenges faced by the organizations
To answer that question, one can consider “operational factors” as the common culprit. First, it has been observed that organizations often face a fear of processing personal data. The user consent is an everyday problem for all types of organizations, whether you need a copy of an ID card, a phone number, or a social security number. It is even more relevant for large B to C services that process a tremendous amount of data. One shall not fear too much as user consent is only one of the six legal grounds to process data. We also observed this fear for organizations that process very sensitive data, as demonstrated by the first ever GDPR fine given to the Barreiro-Montijo hospital in Portugal (400 000€). However, banking industry fines related to GDPR have been imposed as well, just to name Helifax with £500 000 imposed by ICO in September. Besides, this legal ground should be used as a last resort to process data and only if there is no other legal ground to process the data, in which case, you should probably question your processing first.
Still on a legal standpoint, the difference between data controller and data processor and the responsibilities of processing that ensue are not always clear. Although the definition is quite simple, applying this aspect of the regulation can lead to problematics on an operational level. Keep in mind that whether you are data controller, co-controller or data processor and often both, you are always responsible of the data you own, even if processed on your behalf by someone else. Thus, besides being compliant yourself, the underlying condition there is to clarify how your data processors operate and communicate incidences. It is obviously close to impossible to control per se how the data processor operates internally regarding your data, therefore you must protect yourself with contractual clauses specific to GDPR. As aforementioned, the GDPR dynamic is already undertaken by most organizations, therefore there should not be many situations wherein you would be required to convince service providers to comply to the regulation. This can also be overdue by having a clear control framework and performing regular due diligence on your data processor, in order to know and understand how the personal data they process on your behalf is managed and protected. The contractual clauses are a good protection ex-post and enforce due diligence on a legal standpoint. However, to provide insurance prior to a potential mistake from your data processor, you might exercise actively the right to audit his processes involving the personal data you own.
Data retention period is a tricky point. In fact, GDPR does not mention any specifications regarding retention period. The regulation states that according to the Right to be forgotten “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” (GDPR, Art. 17 – Right to erasure (‘right to be forgotten’)). This means that companies need to be aware about the regulatory landscape that covers their organization, so that right retention period can be applied. Many retention periods are already defined by law and regulators, however main issues arise as the specific context alter the defined retention periods of specific type of information. Then, the difficulties start due to the fact that this is based on company’s judgment in order to provide a decent retention period for both, enable the right operational factors, but also to respect the regulation in regards on having the data only for the period that it is needed for the organization (again, a subjective terminology). In this regard, the physical storage raises even more issues. Most of the time, organizations keep their monthly/yearly backups on hard drives or tapes regardless of the data inside. Therefore, deletion of the data after the end of the data retention period might become a technical challenge. Thus, the data storage must be thought again to ease the deletion process.
Note that the definition of processing is quite broad and involves “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction [of personal data]” (GDPR, Art. 4 – Definitions). Thus, in the regulation the Right to be forgotten refers later on to the lawfulness of processing aforementioned. Therefore, as long as you don’t follow one of the six legal grounds for processing data, you be already in breach. If some regulations require you to keep the data for 5, 10, 30 years, then the legal ground “legal obligation” applies. This aspect leads us to one of the most common challenge organizations face, data classification, mapping and to professionalize data management, as we can observe in several financial institutions.
In most organizations, data mapping is a complete imbroglio. In this regard, blessed are the organizations with a simple information system. The more applications and international integration there are, the bigger the challenge will be. Although to implement data management solutions implies to implement data governance, GDPR will therefore force you to rethink your internal processes and focus on the essential. The regulation implies that organizations knows where each type of data is. For this reason, a normal outcome of almost every GDPR engagement is for a company to go through a data management program, where several initiatives such as data classification, data inventory, governance or data protection.
One of the most common misconceptions is that there must be a Data Protection Officer (DPO) within the organization. It is not mandatory nonetheless highly recommended to have one. This would of course depend on the size of the organization, their nature of business and the extent to which personal data is divulged. So in this case, banking industry need to mandatory appoint a DPO. This has been well understood since in 2018, 75% of organisations have appointed a DPO (IAPP-EY, 2018). However, questions are raised about the DPO’s scope and his position within the organization. What renders the DPO concept complex, is that there is no ubiquitous answer here. There are as many configurations possible as there are organizations. Whether there is one DPO or more, whether he works for example under the Chief Compliance Officer or beside him, whether he has a team of his own or operators in different Business Units is up to each organization. So far there is no answer better than the other. Anyway, companies still find difficulties to avoid the conflict of interest between DPO’s position and its duties. So for this reason, many organizations have also opted to outsourced their DPO role, getting an external view on their GDPR compliance journey along with a group of expertise in the field (multi-disciplinary team).
Delivering all relevant documentation in order to get toward GDPR compliance is a complicated task requiring lots of resources. The documentation established by internal or external auditors, the DPO, or the CISO is static and depicts a state at a given time and requires therefore maintenance. After the first implementations, companies realized the GDPR compliance projects were not one-shot projects. The difficulty here lies in the maintenance of effective controls, documentation and procedures. As the management needs up to date reporting, the deliverables need constant update and review at the operating level.
Whether you can relate or not to this non-exhaustive list of common challenges faced by organizations today in regards of the GDPR, following simple advice can help to undertake problematics from a different perspective.
A regulatory requirement not only perceived as a legal burden but as an opportunity
Accept GDPR as an organization-wide project. GDPR is not only IT’s or legal’s concern, it will require changes in governance, perhaps a new cross-functional team, modifications of policies and procedures, automation of auditable processes. Although IT processes are the most affected and relevant in the light of GDPR, your IT people won’t be the only one processing personal data in the organization. The GDPR, more than being a regulation, is a culture, going even further, it’s a way of life, so to speak...which leads us to our second takeaway:
Insist on instilling awareness and trainings. As aforementioned, GDPR is equally a legal framework to follow than an organizational culture to assimilate. This privacy culture is to be incorporated on every level of the organization. As any change manager would support, you cannot integrate a new organizational culture of transparency and not being afraid of GDPR. GDPR is seen as a good regulation by the people. More and more people want to know about privacy, they are involved in this change. Thus, enjoy this dynamic to change the culture.
Question your processing. Always wonder why you process personal data. As seen before, the definition of “processing” is quite broad. Thus, ask yourself where and how you store the data. Who, why and how you transfer it to. What type of data you are processing. The deeper your understanding of your processing, the easier it will be to comply to GDPR. Even though the regulation might look scary when you’re not a privacy expert, the reasoning behind each principle makes sense. If you answered the first questions of this paragraph, you may already think about some areas of improvement toward GDPR compliance.
Focus your processing on the essential added value activities. Obviously, an organization has to reach its purpose and cannot change its activities. However, it is recommended not to drown in a mass of data. First it would not be a cost and time-efficient way, and it would increase the risk of GDPR non-compliance. Data analytics is therefore in the focus of GDPR.
Take the opportunity to improve your processes. Surely the financial risk of non-compliance is too high to be ignored. The GDPR sets the record in terms of highest fine possibly imposed so far which can be as high as “20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.” (GDPR Art. 83 – General conditions for imposing administrative fines) as a direct financial risk. Not only that, but companies involved in data breaches have a strong reputational impact as fines are publicly visible that can affect their position in the market. De facto you will have to reassess your processes, take some time to think about how things can be done better, better automated, better data managed.
How does the future look like?
In 2019 and beyond, the market will continue evolving according to the GDPR. We observed in 2018 increases in consulting, law, IT security and privacy services answering to the first phase toward GDPR compliance. However, there is still work to do. The GDPR will bring forth new sectors to the market. Upcoming disruptors in this regard are the following:
Data management programs are still costly today, new technologies emerge and the high demand is creating a void to be filled by creative entrepreneurs or data leakage prevention solutions. As discussed above, data classification, mapping and management is not yet optimal to most organizations. Larger organizations started to undertake massive data management programs and smaller organizations may not have any solution as of today. Thus, we expect a sharp increase in such solutions.
On a similar standpoint, the Chief Data Officer will assert its position on the market. Reporting and being up to date if more and more part of the agendas. As mentioned above, data management and the challenges it raises, as per the multiplicity and abundance of the information, are inherently complex. The growing importance of data in the information era leads de facto to a need of a full-time responsibility undertaken by a Chief Data Officer.
The role of the DPO will assert its position on the market and keep on evolving. Whether inhouse or outsourced DPO services, the companies are eager to have a dedicated person to assume responsibility for this role. In fact, only 1% of the companies will remove the DPO after having reached GDPR compliance (IAPP-EY, 2018). The “DPO as a service” is starting to develop and is expected to evolve as it is a cost-efficient solution for smaller companies that cannot afford the skills and expertise internally. The aforementioned can be witnessed at EY, wherein DPO as a service is highly demanded among our clients.
Process automation services acts as a competitor in this race. Indeed, the GDPR compliance journey demands a lot of assessment (i.e. Record of Processing Activities, Data Protection Impact Assessment, Gap analysis) which are static on paper or in GDPR toolings, but not on the operational level in the organization. A market is being built from scratch here in order to monitor the evolution of processes related to the regulation.
Finally, 2019 will be the year of GDPR certification, which control framework is owned by our local regulator CNPD, will become official. This will provide to local banks and other companies to get an external assurance over their compliance level towards GDPR requirements and on the effectiveness of controls. As seen above, GDPR may be sometimes subjective in a way due to the fact that it is a risk-based regulation, so this will provide a common way for companies based in Luxembourg to certify the work done in the previous years.
The GDPR, as it was supposed to do, is currently transitioning the obligation of privacy to a culture of privacy. Of course, the shocking point that we always hear is the tremendous fine that could be given by the authorities. When you dig deeper however, you feel the involvement of people, the desire to know more, the aspiration to do things in the right way. The people who carry GDPR projects in the corporate world are usually way more eager to protect their fellow citizens’ personal data than their own in their private life. Although often considered as a cost, GDPR is more an investment. It is a good opportunity to question aged processes, improve your ways. GDPR compliance will inspire trust in your organization, both from your customers and collaborators. There is still a long way to go, new challenges and opportunities arise before us, but we are getting there.
IAPP-EY. (2016). IAPP-EY Annual Privacy Governance Report 2016.
IAPP-EY. (2018). IAPP-EY Annual Privacy Governance Report 2018.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. (2016, May 04). Official Journal of the European Union.