Transitioning to an agile operating model is an ambition of many companies in all sectors. From multinational software developing companies and major banks to the startups, agile is a clearly visible trend, and lots of organizations are simplifying their structure and processes, lowering the formal and procedural requirements, and trying to be as close as possible to the customers and respond flexibly to their requirements.
On the other hand, regulation for personal data processing in the European Union has contained the accountability principle since 2016, respectively 2018 when the General Data Protection Regulation came into effect. According to this principle, the data controller is obliged both to comply with the GDPR requirements and document and be able to prove compliance.
Standard practice on how to follow the GPDR accountability principle might implicate quite a heavy administrative burden within the agile structure, especially in the area of a new product or new communication channel introduction. Those are based on several subsequent approvals and privacy impact assessments. A set of documentation has to be prepared, a comprehensive vendor check should be done when the organization intends to use an external subject for part of the data processing, etcetera.
In this article, we will briefly analyze and challenge the statement that the approach to the GDPR accountability principle in the agile operating model should be different than in the organization with a regular structure and operating model. Secondly, we will propose a few crucial points on how to achieve GDPR compliance in an agile company in a flexible and effective way.
Agile
What do we mean with the word agile or agile operating model?
In software development, the term agile was broadly introduced in 2001 in the Agile Manifesto as the opposite of the classical waterfall approach. In this document, a couple of software developers introduced 12 principles of the agile approach to software development. Later on, this approach spread to other areas besides software development, namely to the whole organization's structure, preparing whole new products or communication channels to the clients, etcetera.
What are basic agile principles? The work, development or operating model should be based on minor and self-organizing teams, cross-functional mixture of IT and business staff. The teams should have a high level of independence and the possibility to quickly decide and share a common mission, like preparing a new product or a fully online mortgage application. The results should be delivered incrementally, in sprints lasting a few weeks. Regarding the documentation of work, the agile operating model prefers the work of content to the documentation.
In other words, the agile operating model based on quickly deciding and independent small teams that have the customer and the product or software development in the center of their minds. It is obvious it is not easy to ensure proper working control functions in the organization with the agile way of work. This applies in general and in the case of personal data protection with accountability as one of the leading principles.
Accountability
One of the major changes brought by the GDPR is explicitly stated in the accountability principle, putting even stronger emphasis and further requirements for a controller's responsibility to ensure compliance with data protection regulations. Moreover, to demonstrate compliance, the controller shall also provide adequate evidence.
In other words, to demonstrate compliance, the proper documentation of processes and procedures should be in place. In the context of the agile operating model, this means that, for example, if the new product or process is being implemented, a number of related documents should be elaborated on prior to its release. Namely, the description and settings of the product/process, including putting it into records of processing activities (register), risk analysis, data protection impact assessment in case of high risk, vendor management documentation, etcetera. These are all mandatory requirements of the GDPR, which have to be properly documented to demonstrate compliance, and in its absence, the agile model would not constitute an excuse in front of a regulator.
How to ensure GDPR accountability in the agile organization?
As indicated above, it might be very challenging for companies approaching the agile trend to properly manage all their data protection related responsibilities. Nevertheless, it is crucial to stay on track with the accountability principle and have proper policies and procedures in place. Inadequate implementation of the accountability principle in practice may lead to a data breach, improper/unlawful design of a new product necessitating complete re-designing including new IT development, etcetera.
Last but not least, lack of responsibilities and documentation might be assessed as a breach of the GDPR as such, gaps in processes might lead to missing important deadlines and consequently to the fine by the regulator.
To avoid the above-mentioned issues and deal with these requirements the set of tools/steps and its combinations might be put in practice. Namely:
Tone at the top, which is more relevant in this case than ever
Agile should not be viewed as the ultimate goal, rather as the tool for how to reach set objectives (faster delivery to the clients). The basic element of it is to make an effort to work in an agile way also with the respect to the regulatory requirements, and the top management shall clearly emphasize it as a priority.
Properly assigned responsibilities and awareness of people in the business
One person/group of people responsible for data protection or broader for the regulatory compliance of new deliveries in a relevant agile team (squad, cluster, tribe, etcetera) would constitute an appropriate first line of defense. Their role should be first to identify potential regulatory consequences of new tasks, relevant risks and communication with the subject matter experts about the most important or risky issues. Limits on which situations the agile team is allowed to take its own decisions, and when it is necessary to seek the advice and opinion of DPO/legal/risk, etcetera, should be clearly stated and modified, if necessary.
Knowledge base and expertise, ideally a person/expert, to whom queries from first line can be addressed
For example, the data protection officer or its equivalent to ensure that the DPO's role is fully recognized as the second line of defense. Moreover, brief and practical guidelines/manuals explaining the rules and procedures to follow in the defined context. For example, guidelines on marketing activities, guidelines on involving external providers, guidelines on collecting customer data, etcetera. A tailored and risk-based approach should also be considered in this step.
Awareness and personal responsibility of management and agile teams
Personal responsibility and ownership of processes are one of the agile values, and the essential part of it shall be the acceptance of responsibility for compliance with the GDPR and other applicable regulations, as well. If someone is responsible for the preparation of the process or making a decision about it, then this person should consider the regulatory requirements or seek expert advice.
Deployment of a control framework
It is necessary to check and challenge implemented processes and procedures, whether they are efficient, appropriate and, in fact, being followed internally. Results and findings from this second line of defense monitoring may indicate the pain points, necessary adjustments or need to escalate the issue, for example, too vague or too strict rules for the agile team decision making, inappropriate awareness of the regulation, etcetera.
An agile working model could significantly streamline the daily work of the company and accelerate the delivery of its product to the clients. Ensuring compliance with the GDPR accountability principle is an important challenge to be tackled. With proper and rational setup, allocation of resources and assigned responsibilities, tone at the top and control mechanisms, the investments shall not be considered wasted. The effort and time devoted to preparing necessary documentation and procedures and strengthening awareness will allow companies to prevent undesirable incidents and additional costs for redesigning the products and fines in the worst-case scenarios.
Photo by Julián David Loaiza Agudelo on Unsplash