As we near the May 25, 2018, GDPR enforcement date, companies will promise solutions to meet the GDPR’s detailed and intricate requirements, but only a handful will believe it will never be feasible to deliver on the spirit or letter of the regulation without taking a data-driven approach to compliance.
The standard operating practice, when confronted with a new set of regulations, is to focus on the processes and legal language. However, it’s important to remember that the “D” in GDPR stands for “data” and the “P” stands for “protection.” GDPR is not a Talmudic exercise in theoretical privacy. At its core, it is a regulation about the integrity of a measurable thing: a person’s data. This requires knowledge about that person’s data, which requires a data-driven approach to compliance.
Complying with a regulation governing the use and ownership of data will never be scalable and automated without first accounting for that data, tracking its usage and demonstrating conformance with policy. Privacy process does matter, but privacy will never be a verifiable and measurable pursuit without a corresponding product to ensure compliance.
This new perspective on privacy compliance as something beyond policy and process is perhaps nowhere better exemplified than through the new GDPR imperative of privacy by design.
Getting to privacy by design
The EU GDPR reinforces the concepts of privacy by design and privacy by default as core operational precepts that require organizations to consider privacy protection from a project’s initial conception through a full operation. But how do you achieve privacy by design when the organization accountable for privacy compliance does not directly own the creation and administration of a new IT initiative?
For too long, the privacy function in most organizations set down privacy policies and processes for IT projects but lacked effective technology products to ensure either compliance with internal rules or external regulations. Compliance without measurement is a mere estimation without effective products to measure actual behavior and conformance to policy and prescribed process. When IT looks to measure application uptime and performance, they don’t use questionnaires, and there is no compelling reason to settle for anything less when it comes to data privacy or data protection.
The "D" in GDPR is for data
What’s sometimes amusing when discussing the GDPR with attorneys is the abstraction of personal data from the actual IT object. Data, of course, is not some esoteric thing: It’s a precise and quantifiable unit of information that is stored and processed electronically. When the EU first started debating the replacement of the previous data protection directive, it was for the purpose of being more exact about what was to be protected and to be more exacting about the consequence for failing to do so.
The GDPR is, first and foremost, a regulation about data, and so compliance will never be possible in an operational, privacy-by-design way while being ignorant of the data. Estimating data location through surveys is not much better than navigating to North America using a 10th-century map. It’s inexact at best, untrustworthy at worst.
To effectively protect personal data belonging to consumers requires knowledge of that data: its location, lineage, access, ownership, etcetera. Data can’t be protected unless the subject of the protection is first known.
Data-driven people privacy compliance
GDPR is very specific about a whole host of obligations, from data subject rights to data access, portability and erasure, through consent parameters and pseudonymization, to give some examples.
All these obligations require an intricate, deepening knowledge of the personal data that an organization collects and processes. They require an IT-like operationalization of how data privacy is protected: anchored in up-to-date intelligence on the data being collected and processed.
photo credit: akigabo Diversion? Decoration? Dehumanization? ... Done? via photopin (license)