Many organisations have still not embedded data protection practices into their day to day business operations, according to Stewart Room, lead partner for the General Data Protection Regulation (GDPR) and data protection at PricewaterhouseCoopers (PwC).

After a two-year implementation phase of the European Union’s (EU’s) GDPR, and six months after it went into full force, many organisations are still stuck in the preparatory phase, he told Computer Weekly.

In the run up to 25 May 2018, Room said organisations were running “noisy and busy” GDPR readiness programmes, but such programmes should end at some point and transition into business as usual. “But, generally speaking, I am not sure that outcome has been well achieved,” he said.

There are the exceptions, said Room, where some organisations have made a very good transition from preparatory programme to business as usual (BAU), but many organisations are still looking at filling GDPR-related roles and are implementing GDPR-related processes at scale.

“A lot of the BAU questions we are getting are quite elementary in nature, and they are the kind of questions that ought to have been resolved in the preparatory programme by those charged with transitioning GDPR plans into everyday business processes,” said Room.

“I am not confident that data protection is transitioning at the pace and sophistication from programme to BAU that it ought to be.”

The slowness of this transition, he said, is in part due to the fact that data protection programmes were being “spun up at the last moment by a cohort of people who were relatively new to the topic”.

“The primary goal was to get as much ticked off as possible before 25 May 2018 without thinking through how to build a data protection framework that survives and scales into the long term. So it was designed to be a programme, it wasn’t designed to be BAU – it is a design problem,” he said.

A second trend that PwC identified is the failure of organisations to deliver data protection outcomes in the technology and data layers of the business. The focus of most GDPR programmes, said Room, has been around the “paper layer” in terms of policies, notices, procedures and contracts, and the “people layer” in terms of organisational processes.

“Business transformation has not really occurred in the technology and data layers to the degree that the GDPR requires, which we expect to be a visible and obvious problem as the data protection regime goes forward with enforcement actions and litigation,” he said.

“Data accuracy, for example, is one of the data protection principles enshrined in the GDPR, but you cannot deliver data accuracy without having some code-based outcome. You can’t deliver accurate electronic data in a non-tech way.

“You cannot fix the privacy threat to children of internet-connected toys simply by creating good quality paperwork about the internet of things. At some point, you have to code things in about how the camera and microphone should operate to ensure privacy is not at risk, but many organisations have completed their GDPR readiness programmes without making this key journey to code,” said Room.

A third significant theme, he said, is that although we are six months into full GDPR enforcement, there has been no real enforcement action to date, which appears to be supporting the view of those who did not see the need to make an investment in GDPR compliance.

“However, there are indications that the first round of important enforcement activity will take place in December. The European Data Protection Supervisor has made comments to that effect, so these cases could be imminent,” he added.

Apart from ensuring that they have made a successful transition from GDPR programme to data protection as part of normal business, and ensuring they have translated their plans into the data and technology layers of the business, Room said organisations need to have the necessary coping strategies in place.

“Accountability is a key principle of the GDPR, so if a complaint comes their way, an organisation needs to be able to tell a good story and be compelling. That remains a critical priority,” he said.

“Assuming that data protection reverts to type, organisations will need to have coping strategies in place to deal with victims of personal data breaches, to deal with consumers about marketing issues and to deal with rights requests not being dealt with properly.

“If that is where the data protection agenda settles over the next 12 months, then having a position on how to deal with those matters will be 95% of what data protection professionals will have to concern themselves with.

“But the extent to which the GDPR will move data protection forward to be much more holistic is still uncertain. One prediction is that it will revert to type, but it could move to a place where all considerations of data protection are perceived to be important.

“We don’t know which way it is going to go, so organisations need to have an answer in terms of accountability, they certainly need to be delivering data protection outcomes in terms of the technology and data layer, but they should also be focusing on personal data breach, rights mishandling and marketing-related privacy issues.”

Asked about the data protection elements of the draft EU Withdrawal Agreement, Room said the commitments on personal data will be reassuring to citizens and businesses across all sectors.

“The terms of the withdrawal agreement, if agreed and ratified, will make sure there is no interruption to cross-border data flows, as EU data protection law, including current adequacy decisions, will continue to apply in the UK during the transition period. UK citizens’ data will continue to be protected in EU law.

“The political framework provides a welcome commitment to cooperating on data protection in the next phase of negotiations, however an adequacy assessment by the end of the transition period is not guaranteed,” he warned.

Written by Warwick Ashford – Computer Weekly – November 2018