CURRENT AND FUTURE FOCUS AREAS
With GDPR now in full effect, European residents are finally in a more privacy-friendly world. Organisations invested weeks and months getting to their interim privacy maturity states in the time leading up to the May 25th deadline. They largely prioritised efforts around areas such as data processing inventory, privacy notices, consents, DPO appointment, contracts addendums, rights request workflows, and basic training and awareness.
However, the work is far from over. Business must lay out a clear plan to progress from their current privacy level to the desired compliance level, a task requiring immediate attention. They must also plan to implement forwardlooking solutions allowing for sustained compliance as new data and processing activities come into the regulated perimeter. These trends are pushing businesses towards solving problems across three key areas:
Privacy Assessment Framework
Demonstrating ongoing compliance
Organisations have invested significant effort to show their commitment to comply with principles of transparency, accuracy and data minimisation required by the regulation. With accountability as the new principle, regulators have made it clear that organisations (data controllers) need to demonstrate compliance on an ongoing basis. Myriad challenges complicate this task:
- Organisations do not have a robust privacy assessment framework that they can use assess and monitor privacy risks and controls on an ongoing basis
- Current risk assessments do not provide adequate coverage of GDPR or data privacy
- Organisations do not have a GDPR-specific risk and controls matrix, and there are no proven libraries they can leverage out of box
- Privacy risks vary with business functions
Third-Party Risk Management
Assessing the data privacy and security preparedness of third-party data processors
Data breaches are now common. The increasingly complex supply chain for today’s technologically advanced business landscape and evolving cyber threats only fuel the chance of an organisation being subjected to a third-party related breach. Many studies of some of the recent breaches suggest that as many as 50% breaches can be directly or indirectly attributed to supply-chains.
The GDPR, FCA and other regulatory norms make the repercussions for these breaches massive. However, many organisations have taken a myopic approach to data privacy and security, focusing largely on perimeter and ignoring or deferring their supply-chain.
As organisations now look to enhance and optimise their third-party risk management processes, they face several challenges:
- There is no single authoritative repository of all third parties and their related details, including services they provide and data they process
- Various departments hold and maintain their own records of suppliers in largely unstructured forms such as spreadsheets
- Current processes for conducting third-party risk assessments are manual and time-consuming, resulting in a low proportion of risk-assessed thirdparties
- Assessment questionnaires are subjective, making the quality of data gathered as part of responses is poor
- Manual risk scoring methods mean that insights generated from assessments are basic, at best
- There is limited knowledge of risks posed by the organisations in the third party’s supply chain
Manual process alone will not enable organisations to accurately assess their third-party risk. Technology will be critical in augmenting overall risk assessment and reporting processes.
Forward-looking processes and solutions
Largely organisations’ compliance efforts thus far have been tactical. They were aimed at getting over the line and minimising adverse privacy impact. Unsurprisingly, many of these measures were manual and hence less sustainable. Take, for example, areas such as data and processing inventory, DPIA and rights of data subjects. Organisations carried out structured data audits to understand how personal data is held and processed, resulting in spreadsheet-based data and processing inventories. Likewise, data protection impact assessments (DPIA) questionnaires were manually circulated to various internal business functions for one-time risk assessments of their processing activities. Customer requests around portability and erasure are tracked manually or via a ticketing system with no workflow capability. Other areas have seen similar tactical fixes mainly aimed at achieving partial compliance in the short term. Such measures prompt many challenges in the long run:
- Spreadsheets only provide a point-in-time snapshot and must be maintained as new data and processing operations come into regulated perimeter
- Unstructured data has been largely deferred until now; discovering and inventorying such data manually is unimaginable
- Manual processes for rights request management aren’t scalable for spikes and surges in request volumes given tight fulfilment timelines
- Manually fulfilling complex requests such as data erasures may not work, especially as unstructured data comes into the mix
- Access provisioning and permissions will require sophistication to account for staff movements
Achieving sustainable compliance requires people, processes and technology working together. Digitising spreadsheets will minimise errors, automating critical activities creates efficiencies, and robust underlying processes support business logic while an effective governance structure provides strategic direction.
GDPR is profoundly reshaping the way data is managed by organisations, challenging their current system landscapes, internal processes, data management practices and governance structures. It is not surprising that current measures for complying with this regulations aren’t yet sustainable. Organisations still require sizable and well-deliberated investments in terms of augmenting people, process and technology. GDPR compliance is a journey, and a solid compliance roadmap will ensure
compliance and good data practices in the longer run.