Two and a half years on from the original GDPR launch, concerns remain around Data Privacy maintenance and sustainability. Many organisations continue to face challenges in optimising their existing Data Privacy platforms, processes and procedures.
The acceleration of regulatory action has forced companies to engage more fully with Data Privacy and adapt their Data Privacy programmes. While current advice from the ICO (the UK Supervising Authority) states that the Data Privacy Officer (DPO) isn’t personally liable for data protection compliance; as the controller or processor of data, it remains the DPO’s responsibility to ensure compliance with the regulations. Looking forward the DPOs role will become increasingly integral to ensuring organisations achieve their data protection obligations.
At the same time, new and emerging Data Privacy regulatory standards and laws continue to introduce novel requirements that herald a significant transformation in data management.
DPOs and the Wavestone DPO Radar
Against this backdrop, Wavestone is seeing an increase in the extent of responsibilities of DPOs and Heads of Privacy Operations. There are a substantial number of topics and challenges that DPOs need to keep abreast of and manage effectively.
This is illustrated within our 2020 DPO radar:
Wavestone has observed that focus on key DPO topics is driven by both pull and push factors. Regulators are becoming increasingly diligent, taking on more of an investigative approach. This suggests that DPOs will have to be increasingly proactive with their privacy compliance. On the other hand, technological innovation in this space has seen opportunities to automate previously manual processes, as technical advancements are being integrated into ambitious privacy programmes.
For Data Privacy professionals, while 2020 was widely regarded as the year of the Data Privacy Impact Assessment (DPIA), Wavestone expects 2021 to be characterised by sustained activity in three different areas:
GDPR was somewhat ambiguous in its original guidance on Data Retention and Data Erasure, which led to action being deferred by many organisations on these topics. 2021 will see many DPOs seeking to establish and maintain a strong data retention and erasure policy. Procedures must be implemented to comply with Data Privacy regulations and improve protection against data breaches and other data related risks. These policies require the deletion of redundant data where there are no specifications on retaining it.
Wavestone’s approach for addressing these challenges has three steps: indexing data so that its relevance and age can be identified easily; establishing efficient methods for finding data in scope for deletion, including in archives and back-up data stores; and resilient deletion methods that don’t compromise system records’ integrity. This latter step frequently involves the design and implementation of date/time stamping requirements for 3rd party systems with specifications for any bespoke systems.
Unstructured data is defined as information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain dates, numbers, and facts as well. Many sectors, are facing an increasing challenge regarding how to ensure the Data Privacy compliance for unstructured data.
Unstructured data exists in silos across an organisation’s documents, folders and databases. In preparing for emerging technological and regulatory changes, organisations must develop the capabilities to identify unstructured data within their organisation and remediate any privacy risks posed by it. In order to track and maintain the sensitive data an organisation is responsible for, a ‘structured filing system’ is crucial for indexing personal user identifiers to prepare for regulatory obligations.
There are a range of tools and methods that can be deployed to discover, classify, report, alert, and control unstructured data when it is at rest and when in transit. Both manual and automated methods can be costly, slow, and difficult to implement. An iterative and prioritised approach to managing the risks relating to unstructured data is required and any tools and methods which are deployed need to be carefully evaluated to make sure they are both affordable and effective.
Any programme addressing unstructured data must include remediation of the high priority operational risks posed by the orphan and dormant data within specific business areas. Additionally, any programmes should manage an improvement in the organisation’s privacy posture by identifying and mitigating risks arising from GDPR defined sensitive data, held within the client’s unstructured data landscape (scanning metadata and reporting).
The third area of focus in 2021 is around Third-Party Compliance. It is crucial that organisations look beyond the bounds of the data shared internally and consider the transfer of data with third parties. Where companies may outsource the processing of their data to third parties while retaining the role of ‘data controller’, they remain responsible for the compliance of both themselves and the third-party. While there are different forms of liabilities for data-breaches, determined by any contracts signed, it is crucial to remain vigilant and aware of the risks of any external data processing.
There is the need for diligent assessment of third parties, their policies and processes. Businesses should develop the right tools to complete the due diligence on any vendors who will be processing their data, including questionnaires and compliance checklists. Furthermore, periodic audits and reviews of third parties will help ensure their compliance controls are sufficient to prevent potential issues. Finally, in line with the ever-evolving regulatory landscape, organisations must closely monitor any developments and alter the oversight of Third Parties GDPR compliance accordingly.
What should you do now?
In driving their organisation’s Data Privacy journeys, DPOs must look to follow a clearly defined strategic roadmap. This should include considering the ‘quick wins’ brought about through embracing appropriate technologies in the context of their Data Privacy maturity and the risks they face.
While there are a host of trending and emerging technologies which can assist any programme addressing Data Privacy, we believe that the three challenges highlighted above and the adoption of technology to help address them will occupy the majority of DPOs in 2021.