Over a year since the General Data Protection Regulation (GDPR) came into effect in May 2018, FRA Director Doel Kar discusses ‘top of mind’ priorities for organizations looking to develop a robust data protection compliance program when facing the challenges associated with “GDPR compliance”.
We are all constantly producing and releasing data about ourselves. We do this by just moving around being registered by cameras or card usage or by logging onto our smartphones and PCs. 5G and the advent of the internet of things (IOT) will continue the rise of data. In the inevitable event of cyber-attacks, data loss, or the misuse of information, a strong compliance program will be key in reducing the impact of fines and penalties. Although it’s been over a year since the GDPR came into effect, “GDPR compliance” is still very much a pressing issue.
Before defining top of mind priorities for a “GDPR compliance program”, it is important for an organization to clarify what exactly it envisions when referring to “GDPR compliance”. Is it compliance with the EU regulation alone? Is it protection of individuals’ data privacy? Or, is it maintaining standards of data security? Arguably, it should be all of the above. Data privacy issues are centered on the protection of data, which is in turn dependent upon data security systems. To be effective in this space, the program cannot comply with one regulation alone, but must take into account worldwide practices. Each jurisdiction has its own data regulations and privacy laws. An organization must ensure that requirements of every jurisdiction in which it conducts business are factored into the company’s global data protection program.
So, what should an organization’s top priorities be when developing an effective data protection compliance program?
Firstly, you need to know where your data resides. There is no escaping the vast volumes of data that an organization deals with on a daily basis. An IBM study in 2017 found that 90% of the data in the world was created in the previous two years. By 2020 it is estimated that 1.7mb of data will be created every second for every person on earth.
It more crucial than ever to determine data mapping policies. You must understand the types of data collected by your organization; how it is collected, for what purpose it is used; and where and how it is stored. For example, using numerous cloud service providers to handle and store ever-increasing volumes of data adds another layer of complexity to the exercise of data mapping. When designing a compliance program, it is critical to first understand where the servers of such cloud service providers are located and how the data is stored, for example in shards across different physical locations. IT procurement personnel must carefully review the contracts and examine where those servers’ back-up data may be stored. Compliance officers must make the IT department and procurement team aware of the repercussions of procuring systems and services that result in the organization’s data being located in jurisdictions where differing data protection laws can result in additional legal and compliance challenges.
Secondly, compliance teams should pay heed to “Technical and Organizational Measures (TOMs)” that are mentioned over 80 times throughout the GDPR provisions. TOMs are essentially the policies, procedures, systems and controls required to comply with the GDPR. This emphasizes the correlation between driving technical standards of data security in tandem with data privacy and protection compliance objectives. Organizations must focus on their TOMs as a key priority for compliance as these controls are the foundation of a robust data protection program. These measures can make or break a program. Without strong TOMs in place, the company’s data protection program is at the risk of remaining a “paper” program. TOMS make the program effective.
A third priority to keep in mind relates to the risks associated with third parties. Third party risk is highly relevant when addressing data protection compliance; the Cambridge Analytica scandal being one case in point. Carefully drafted contract terms can help address this risk. These terms are largely technical in nature, such as those relating to access control, physical and network security requirements. Performing vendor due diligence, including vulnerability assessments, can bolster an organization’s controls and make it less susceptible to potential breaches caused by their third party ecosystem.
This emphasis on managing third party risk is one of a number of similarities between the enforcement of financial crime laws and data breach laws. A review of the Federal Trade Commission’s (FTC) recent settlement obligations regarding consumer data protection – including the $5bn Facebook settlement – reveals a close parallel with the elements of an effective compliance program found in the US Federal Sentencing Guidelines. Apart from implementing appropriate measures for third party engagement, these FTC settlements have also called for implementation of safeguards and procedures, designation of employees responsible for the privacy program, risk assessments, and regular monitoring and testing – all elements expected of an effective compliance and ethics program. This parallel presents an opportunity for companies to translate the lessons learned and solutions developed over years of government scrutiny and anti- financial crime enforcement, to the mounting focus on data privacy and data security regulations.
Finally, as is the case in most areas of compliance, an organization is most effective when leveraging multi-disciplinary skills. Data privacy is not a job for lawyers alone. Whether implementing appropriate technical measures or defining the security standards required of a vendor, professionals experienced in data governance and information technology are a must. Technical know-how and skills are essential to ensuring the effectiveness of any data protection compliance program.
There is no doubt that organizations are feeling the effects of intensifying data regulatory forces from various jurisdictions and stakeholders. This year alone has seen a notable ramp up of “mega-fines” such as the US FTC settlement with Facebook ($5BN); the UK ICO’s fine against British Airways (£183M); and the French CNIL’s fine of €50M against Google. In-house teams need to join forces with appropriately-skilled technical and compliance professionals in order for the organization’s data privacy and security standards to be on par with compliance aspirations across the board.