The Two Key Challenges of GDPR Adoption

The day the EU General Data Protection Regulation (GDPR) went into effect, 25 May 2018, marked a real landmark regarding personal data protection for which much information and training has been distributed, more or less accurately. As the date on which the regulation took effect was announced well in advance, many organizations took the opportunity to start preparing for it well ahead of time, initiating their corresponding GDPR adaptation programs. Others waited to see what peers, competitors or closely aligned organizations were doing. Some procrastinated until they had to rush to create a last-minute GDPR adaptation program, which, in some cases, was more about ticking the box to say that they had adapted rather than actually transforming the organization in all the necessary dimensions.

As the date has passed, organizations are well beyond the collective hysteria caused by the 25 May 2018 implementation deadline and have a valid perspective now based on real experience to better understand what privacy and GDPR is really about. It is also a good time to identify what measures taken were necessary and what others could have been avoided and to get a clear picture of what remains to be done, and to identify where the main hurdles actually are.

GDPR states privacy protection imperatives very clearly and is creating a new culture that is more aware of and concerned with privacy. And, more importantly, GDPR has educated consumers to care about their own privacy. It has educated them to think more carefully before disclosing personal data to an organization for a certain purpose. This education that is gradually being introduced into organizations’ DNA is about culture, something that goes much beyond just having a data protection policy. And therein lie the two biggest challenges many organizations face with regard to GDPR adoption: cultural transformation and privacy by design.

What Is This GDPR Transformation About?

The rush to GDPR adoption has been done either by using public guidelines and resources provided by EU member-state data protection agencies, or with external help from consulting firms. And in that rush, all along the journey, there have been points where interpretations of the regulation may have been different from one organization to another, and things that seemed very important in one organization were not considered important in another.

During this process, many tasks were completed, often beginning with identifying how enterprises handle personal data, applying risk management principles to identify risk from the individual’s perspective, and then analyzing risk, assessing current protection measures and developing a very long list of tasks encompassing many domains.

Some of the specific topics that have been addressed along the way include:

• Reviewing processes by which the organization manages personal data (i.e., data collection, either offline or online, data use and exploitation, storage) and reconfiguring these processes so that they became GDPR compliant. These processes are actually key to enabling GDPR compliance that goes beyond the GDPR adoption project.
• Discussing what the data privacy officer (DPO) is meant to do, the DPO’s real roles and responsibilities, and how this definition of the role matches the current corporate governance structures in the organization.
• Establishing new ways of working in many organizations. These new ways of working have brought about new cultures and new values.
• Providing the GDPR principles a regulatory category by embedding them in the organization’s policies.
• Gaining awareness of and visibility into the handling of personal data processings had not been formally identified before. A byproduct of GDPR adoption measures for many organizations included the new insights into the information circulating in business processes and the information that flows from one department to another, from one application to another and from one infrastructure to another.
• Gaining visibility into all the IT systems that participate in managing the personal data required to run businesses. For many, GDPR implementation uncovered complex IT landscapes that entailed many services, applications, and servers (both physical and virtual), either in-house or in the cloud.
• Requiring training for all employees who are responsible for any kind of personal data treatment or handling. There are many ways to train people, from very costly training strategies used by big organizations to simply reading free literature or watching free online courses on GDPR requirements.

A Matter of Governance

To those more or less familiar with governance frameworks and, more specifically, with the COBIT 5 governance enablers, the clear link between the aforementioned issues and the seven governance enablers found in COBIT 5 will not have gone unnoticed. And this is because, to a great extent, privacy requires governance. Senior management is tasked with setting the direction as to how to manage privacy in the organization and in its processes, its culture and its people, and its regulatory framework.

In other words, having a highly skilled team behind the GDPR adoption program is useless unless the other governance levers are activated, such as policies, processes, culture, etc. And only when all the levers are activated it is feasible that the clear direction set by senior management when it comes to privacy will materialize.

But where has the real challenge in the journey toward GDPR compliance been?

The Real Challenge

Going back to the GDPR-adoption programs, by discussing the approaches in various organizations with peers and colleagues, it appears that two particular topics have presented the biggest challenges in GDPR adoption programs:

• Privacy by design
• Cultural transformation

Though they are two different topics, there is a clear link between them.

Privacy by Design
It seems that privacy by design is a crystal-clear concept understood mostly from a theoretical perspective. However, when the hands-on work is undertaken to implement it, can an effective way of doing it be found? Is it a matter of elaborating on an internal regulation that states that any project dealing with personal data should take privacy seriously from the very beginning? Would that solve the problem even if that internal regulation is formally approved by senior management and made public to the organization? In time, would that actually fill all possible gaps where privacy should be considered?

There are a few factors that pose certain difficulties:

• Many personal data processing treatments, at some point, trigger an IT project. Therefore, though certain internal controls could be embedded within an IT project management methodology to get the privacy team involved, there would certainly be gaps, as many personal data treatments do not necessarily imply an IT project.
• Many personal data treatments are not necessarily a project; many are initiatives that are triggered by a simple request.
• Internal control in processes for procurement of any sort of third-party solution (e.g., external services, mobile applications, IT solutions) could be embedded. But still, there would be a gap with all those personal data treatments that did not require any purchasing at all.

There are many other two-sided situations where there are gaps, and this points to the fact that privacy by design cannot be tackled simply by issuing a regulation that says it must be so or by simply modifying one single process or procedure. The lesson learned is that privacy by design will most probably end up being a set of internal controls actually scattered across various policies and procedures and across the definition of roles and responsibilities in many cross-functions in an enterprise.

Cultural Transformation
Cultural transformation can end up being a higher mountain to climb than privacy by design. Sooner or later, organizations will manage to have updated inventories of personal data treatments or privacy impact assessments. Organizations will have adapted a privacy policy and data processing agreements. They will even have implemented all the technical measures based on database encryption and other more or less sophisticated access management solutions. Organizations will have a DPO and a clear statement of responsibilities. And so on and so forth, but the key and real challenge will be to transform the culture; to promote a culture that cares for individual’s privacy; to implement a culture that understands that, at some point, decisions will have to be made between the practical path (e.g., keeping a candidate’s resume in a drawer “just in case”) or the right thing (e.g., shredding the resume once the purpose for which it was collected is completed). Eventually, decisions will have to be made between rewards and privacy. A culture is something that must be solid and robust, without cracks at any organizational level, or it will certainly fail.

Stakeholders may think that tackling the people dimension of GDPR—the personal and cultural transformation—is about launching an e-learning program on data protection, but that is not the right understanding.

As with the corporate values, the culture has to be present during any minor decision (e.g., what a human resources [HR] recruiter does with a candidate’s printed resume) up to higher-level decisions (e.g., involving the DPO or the chief information security officer [CISO] early in projects that will involve sensitive personal information, empowering the DPO or the CISO to make unpopular decisions if privacy good practices are not being used). Again, as with the corporate values, any manager at whatever organizational level in the enterprise displaying a disregard for privacy will have a negative effect on his or her team, with a multiplying effect. Why should anyone care about privacy if their manager does not really care? And, of course, it also works the other way round: Good managers can be inspiring leaders to the rest of the organization.

And if there is a meaningful link between this privacy culture and the corporate values, should not privacy be considered one of the corporate values?

As mentioned earlier, creating this necessary culture is not about launching an online training course. It is not about placing posters in meeting rooms. These measures may help, but creating this necessary culture is about embedding this change of attitude and behaviors in employees’ daily lives, ideally, arguing that, “This is the way we do it here. This is the way we do things in this organization, because we all take privacy extremely seriously.”

This change in the organization’s DNA and its culture will also end up being an enabler to the privacy-by-design principle, because, apart from reinforcing and ensuring privacy through the definitions of roles and responsibilities, corporate policies and standard operating procedures, etc., the organization will not have to rely solely on these artificial mechanisms. Rather, it will have the confidence that its people consider privacy in initiatives, digital projects and digital transformation, website and mobile applications developments and launches, and much more.

Conclusion

GDPR will, fortunately, leave a legacy of a set of good practices and internal controls that, if not in place before, will help to implement a respect for people’s privacy, be they customers, employees, providers, etc.

Organizations that had previously taken personal data protection seriously will probably have less work to do than those that had not attended to it before.

But, above all, the paradigm shift pushed forward by GDPR implementation remains a challenge when it comes to truly embedding privacy into the organization’s processes, and, on the cultural side, when it comes to changing, evolving and transforming the organization’s culture and the way its people manage privacy. Gradually, the day is coming when consumers will place more value on those organizations that take privacy seriously, distinguishing them from those that just ticked a box to say “we have adapted to GDPR” but have not actually changed anything.