In the second of a three-part series on the people, process and technology impacts of Europe’s forthcoming General Data Protection Regulation, Steve Kenny looks at how the new rules will affect change organizationally.
Part Two: Process
Executive awareness of the General Data Protection Regulation (GDPR) is typically based on two factors. First is a board’s quest to create value from innovation, which has driven ambitious initiatives to define and unify data strategies across divisions. Second, the GDPR obliges audit committee mandates to intersect those objectives as the shareholders’ fail-safe, given their charters include:
- Regulatory compliance
- Corporate governance
- Enterprise risk management
Board and audit committee interaction should result in a heterogeneous allocation of privacy risk tolerances and governance investment across the organization, empowering chief privacy officers (CPOs) to drive change.
While GDPR requirements have yet to be finalized, 20 years of jurisprudence dictate a direction of travel. What will likely follow affects five key areas within an organization.
Change 1: Using Customer Insights To Power Risk-Management
Through data portability, the GDPR redresses imbalances between monetization investment and individuals’ ability to benefit from, or keep private, data about their lives. Societies' expectations invariably advance faster than the law, and that’s also the case with privacy. Customers have expectations to self-determine what they increasingly consider theirs. Europe’s court system will no doubt provide the arena to decide competing claims between self-determination and legitimate interests.
Impact: Advanced privacy-metrics models will measure up- and down-side risk by looking backward and predicatively forward. Such models drive value at risk, insurance decisioning and articulate cause and effect between margin expansion/compression and privacy investment/behaviors. Such metrics models are absolutely foundational to ensuring customer privacy sentiment leads the maturation of privacy management.
The path to maturity often starts with robust evidencing of incidents and subject-access requests. From here, consider privacy sentiment as a stream of customer insight elicited from channels such as ad networks, marketing preferences and contact centers. Take the latter as an example. Poor customer experiences, e.g., overly invasive identity verification or poor call-handling in response to negative reactions to a marketing campaign, translate in the GDPR to material risks, as empowered customers explicitly question privacy practices.
What can be captured here is the privacy voice of the customer. These measurements are crunched to output insights predictive of exposure events yet to occur and can also drive behaviors that can be used to curate augmented value propositions. These are examples of managing the duality of up- and down-side risk. Investment in a metrics model credible with chief marketing and risk officers is essentially a smart compensating control for increasingly risky data and digital intensive efforts, moving companies upward and rightward in the privacy grid.
Change 2: Data
How Data Is Lawfully Captured and Used Becomes More Prescribed Within the GDPR
Impact: There are very few loyalty programs that request customers to discretely consent to personalized offers generated by their relevance engines, but such examples will become the norm.
Explicit consent is a mindful consent. Self-awareness over how and why insights about a private life are monetized has emerged often emotively into social consciousness. And so efforts to enhance transparency and the quality of consent will come to the fore, especially given stronger purpose-limitation restrictions and increasingly narrow uses of legitimate interests.
While there continue to be no property rights vested in personal data, Europe persists with an open-ended definition of it. But consent interacts with a definition of personal data. And today, research demonstrates beyond doubt that even metadata can be re-identifiable. In combination with explicit consent and extraterritorial reach, this effectively places an incendiary into the plumbing of the most advanced and ubiquitous monetization architecture of today—Internet advertising—one that cannot be disarmed by jurisdictional location, legal opinion or lobbying. What can overcome these constraints is science, engineering, legal analysis and a more insightful view of the customer.
Data consequences for CMOs will be substantial, affecting omni-channel acquisition, retention, reactivation and (mobile) payments. The advent of a citizen-powered market for data through portability rights will see customers leveraging their data on their terms. For CMOs who are agents of change, these developments present plentiful opportunities to deliver first mover advantage.
For CROs, data-reciprocity frameworks underpinning credit, coverage, compliance and fraud-decisioning become subject to strengthened, though relative, rights such as up to real-time erasure. They will tend to bite more, with potentially serious consequences, because of the narrowed applicability of legitimate interests as a ground for processing, and the increased potential of causing harm and discrimination exposures in a newly privacy-litigious EU. More generally, passing data through a super-distributed chain and being held jointly accountable for its legitimate management is a problem only resolvable if all parties comply equally and collaborate for the benefit of the customer. And we are all someone’s customer.
Bottom Line: Build internal privacy litigation competences; identify top external litigation talent, and use scenario-planning to enable value.
Change 3: Core Compliance
The GDPR will likely have three times as many articles as the incumbent privacy directive. That level of prescription implements an accountability concept that ratchets up compliance obligations.
Impact: Mandated independent, criminally liable, data protection officer (DPO) appointments for data controllers, and processors with employment law protection will need to be absorbed into a corporate governance structure. New rights of erasure and portability add to time-boxed breach responses and evidencing of data flows at field level. Simplified data export procedures will make BCR de rigueur for controllers, processors and groups of undertakings. Records-management programs will need to expand to prepare for the advent of EU privacy litigation. And even today’s best practice in vendor management, precisely targeted privacy service level agreements, will become modified by both statutory and risk-management enhancements.
Compliance resources will need to shift more quickly toward digital. Complex exchanges of what becomes regulated as personal data requires intelligent governance in the creative hub of the marketing function. Contact center governance will often need to be reengineered to drive transparency and control over potentially crippling risks residing there.
Compliance solutions will be sought for the right to be forgotten/erasure, embedding up to real-time removal of what are fluidly considered personal identifiers across all instances in which they exist, inclusive of third-party assets. Data portability will empower customers to port their data, including the segmentation attributes containing inferences about behaviors, from one service provider to another without delay.
Bottom Line: Refocus compliance budgets and consider auditability.
Change 4: Assurance
Privacy risk assurance activities, from privacy impact assessments (PIAs) to internal audit testing, become mandated under the GDPR to be externally reportable and discoverable.
Impact: PIAs will become threshold-based and managed as a portfolio, while legacy PIAs will often need to be cleaned up given retrospective enforcement and litigation claims. Most internal audit departments have steep learning curves ahead of them to deliver credible test strategies that they are mandated by GDPR to deliver. Even legal-style privacy audits will need to become augmented with substantive controllability testing to address the huge uplift in operational risk.
Attestation standards over third-party service providers will require the accounting profession to agree on the standards that close the controls gap between security and the GDPR. No assumption should be made that "privacy" here maps to anywhere near the GDPR. Without such assurance, organizations will be effectively reliant upon insurance to price the risk of leveraging subprocessing chains, leaving reputational risk untouched from the huge impacts of third-party breaches. And while the GDPR shares statutory risk more evenly between controller and processor, this will also aggregate risk into cloud and managed service providers.
Bottom Line: Create or (co-)source compelling privacy assurance skills.
Change 5: Regulatory Intermediation
Data protection authorities (DPAs) are being empowered, budgets expanded and investigatory powers enhanced. Regulators will build more systemic bridges into the scientific community to provide the research foundation upon which they can base opinions, the leading example being the Luxembourg Privacy Cluster.
Impact: Organizations that today consider themselves unregulated will become regulated by virtue of offering goods and services to EU residents who gain real power of recourse. Mandatory DPOs will be appointed, as they are already in some EU countries, licensed by DPAs to be the conduit between regulator and firm. While regulated industries such as financial services are in for less of a shock, DPAs will certainly not be a poor relation of financial service regulators.
Consummately, there is often a requirement to professionalize DPA intermediation, to ensure business continuity given more frequent and impactful interaction, prior regulatory approval for high-risk PIAs being a case in point.
The one-stop-shop/lead-authority DPA relationship emerging from the Binding Corporate Rules process has evolved into a concept of main establishment. Lead authorities regulate main establishments, which are often designated by location of a primary/secondary stock market listing. Care should be taken in their designation with respect to permanent-establishment declarations to tax authorities, given underpinning transfer-pricing structures can interact with data protection unpredictably. The picture is complicated again for non-EU headquartered entities, decentralized corporate structures and partnerships. Finally, the role of supranational oversight is pronounced in GDPR, so companies will have to be sensitive to Brussels-based intermediation.
Bottom Line: Professionalize relationships with DPAs.
The Evolving Role of a CPO
CPOs are positioned as the nexus between audit committee and board interest in data. Orchestration by CPOs across the five key areas discussed will allow expectations of shareholders, regulators and society to be met.
CPOs and DPOs do not necessarily need to be the same person. In certain cases, it may be advantageous that they are not and even externally provided, while in other cases combining roles can demonstrate a higher standard of corporate governance. CPOs with lines into chief compliance officers are often in the best starting position to effect change, given the prescribed character of the GDPR. Plus, overarching compliance and operational risk assets are typically within easy reach.
The inflection point between requirements for independence and enabling monetization is also a force driving the emergence of chief data officer (CDO) roles, to own an overall data strategy. CPO and CDO relationships will be key to risk management over the coming period. Both roles need to be carefully supported by CISOs, CMOs and CROs. In the absence of a CDO, similar effects can be achieved by proxy through data governance committee.
Checklist
- Is the CPO's reporting line optimal?
- Have the key processes affected by the GDPR been threat-modeled, controls articulated and risk/value metrics implemented?
- Is the quality of externally reportable/discoverable records sufficient?
- How is external privacy investment balanced between legal and operational risk?
Part three of this series will look at the GDPR's impacts on technology. Miss part one of this series? Find it here.