The construct of data protection has been talked about for quite some time. Now it has become urgent, especially with the advent of GDPR. The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018 and the impacts of the European regulation are global.
In my opinion, there are some common emergent themes around ways that compliance efforts to achieve GDPR are falling short. Some of these include:
Lack of clarity on how to interpret requirements
There are a number of guiding principles that govern GDPR, and these are open to subjective interpretation as they aren't prescriptive or precise. As a result, there is confusion amongst multinational firms and their compliance teams as to how to comply with these guiding principles and refactor both data storage and business process practices. For example, under the guiding principle of lawfulness, any entity that is processing or storing EU citizen data must have the permission of the individual or have a lawful basis for collecting/processing the data. As one can surmise, this leaves a great deal of room for interpretation as to what "lawful basis" might mean.
Lack of clarity on the scope of the regulation
There is significant confusion around estimating what sort of data processing/retention as well as business process activities would be considered in scope and responsive to GDPR. The C-suite believes the regulation to have significant, onerous impacts on both business processes and IT implementation of compliance solutions. The deadline to comply is also rapidly approaching, forcing many compliance teams to make subjective interpretations and forge a path ahead.
Lack of capabilities to comply
Most compliance teams are faced with the daunting challenge of developing the skills and methodologies needed to execute/secure/monitor EU data subject's rights as per GDPR. For example, the right to data portability mandates that all data must be handed over and cleansed from a firm's computing ecosystem upon receiving a request from an impacted EU citizen. For a multinational bank that must off-board a client, this means all of that client's personal data and likely all of their transactional data must be exported and transferred to them or another bank and then expunged upon transfer. This may include both structured and unstructured data as well as any marketing/personalization data.
Most of the technological infrastructure needed to achieve this doesn't exist today. It will likely require a bank to consolidate data from a litany of systems scattered across their IT ecosystem. In the example of a bank, customer data is stored in application and data silos that support a particular line of business within the bank. For example, a customer may have checking/savings accounts, a loan/mortgage as well as credit cards and brokerage/wealth management accounts with a single bank. Each of these lines of business within the bank stores, moves, and treats customer data entirely differently. The same pattern exists within the insurance space as well as multi-purpose healthcare systems. Companies will also likely have to create new authentication systems and application programming interfaces (APIs), not to mention secure vaults where this exported information will reside until it is expunged.
Unable to inventory and maintain a catalog of their business processes and data (content) around personal information
Most enterprises lack a well-considered, automated, and repeatable method to inventory and catalog their business processes and systems that interact with GDPR responsive data and processes. Most will likely adopt a manual, paper-based approach which will pose significant challenges when audit logs, inventory and data disposition trails are demanded by the regulators ad hoc. The tasks of keeping a master catalog current as enterprises on-board new systems and retire legacy ones add to the complexity as well as confusion. Compounding these challenges is the need to keep the data inventory and catalog fresh and updated in real-time and available on demand to the regulators.
Implications for security procedures and protocols
As GDPR introduces new requirements, these will in turn necessitate upgraded security systems as well as protocols. Compliance teams are just beginning to ascertain what that might mean to them as they build their master catalogs of data and business processes that are responsive to GDPR. Compliance teams should realize that these new protocols should be proportionate with the risks pertaining to different types and aspects of responsive data and processes. There needs to be a well-documented, transparent approach to security procedures and protocols that outlines the risks to the enterprise and the recommended measures needed for mitigation - capabilities such as encryption, secure data disposition (deletion), secure data exports, etc.
These challenges are certainly daunting. However, compliance teams are able to leverage modern digital business platforms that allow for open, transparent and secure inventorying, storage, exports and deletion of data. These platforms also have robust reporting and analytics capabilities that allow for ad-hoc, on-demand reporting that can be submitted to regulatory bodies.