Compliance day for GDPR is just over a month away. I know that your company is fully compliant, so you can probably skip this for yourself, but perhaps you have a friend who might benefit from it. Wouldn’t it be nice if your friend’s company, that might be slightly less than 100% compliant, could prioritize their GDPR efforts?
The good folks at the IAPP have created an info graphic for the European Supervisory Authorities’ Top 8 GDPR Enforcement Priorities that your friend’s company will need have completed to merit a good faith effort in compliance. The #1 priority – the DPO.
“Have you appointed a data protection officer (DPO) who is responsible for processing activities,” they ask.
Note that the DPO responsibility is for processing activities. Out of all of the requirements, why are they focusing on processing activities?
The DPO Priority and Focus
Processing data is the most widely ignored pre-GDPR aspect of Privacy by Design. It is also the foundation of protecting personal data as the eight enforcement priorities go on to describe. Prior to the GDPR, there was some general awareness of things like data retention. The Ad Tech world had cookie consent and tag management which dealt with the collection of data. Marketing departments and their tools had some notion of outgoing contact consent so that people were not sent offers who didn’t want to receive them.
These efforts dealt with data collection and data usage, but they completely ignored the most important part of internal data privacy which is data processing. The DPO’s job is to fix this gap as he/she systematically and enterprise wide understands and orchestrates the entire flow of data in the enterprise from collection, to processing, and to usage of the data. This is no small charge especially for medium to large companies with large data assets.
The primary requirement for the DPO role is to fully understand a company’s Data Ecosystem Network (DEN). The DEN is the network of connected data that flows into, through, and out of the company. It is the synthesis of data products that form a cohesive system that includes the collection, engineering, analysis, presentation, and action of or upon data.
Prior to the advent of Big Data, most data was siloed in applications. While it might have been consolidated in a Data Warehouse, this data was not networked and combined on an ongoing basis to feed a data driven organization. With the increase in machine learning, IoT, automation, and AI, the networking and combination of data will multiply. The DPO must be the master of this Data Ecosystem Network and that mastery starts with understanding how data is processed in the DEN.
The DPO must be Independent
The DPO will face many issues in moving a company to compliance. Not the least of these challenges will be the native tension between The Business, The Legal Team, and IT. For this reason, the GDPR Recital 97 states that:
the DPO “should be in a position to perform their duties and tasks in an independent manner.”
This tension is illustrated in the following diagram showing the connected relationship between these three groups and the data. All three have to be aligned to succeed in Privacy by Design and all three will have competing interests that will work against Privacy by Design.
The DPO’s job is to align all three divisions so that Privacy by Design is institutionalized. Success means that the DPO by aligning these three groups enables the Business to profit from data while enforcing the requirements from Legal in a way that can be rationalized in a cohesive IT architecture in the DEN. To pull off this balancing act, the DPO will need to understand the business enterprise, the legal regulations, and the technical IT architecture. The DPO will also have to have authority over how data flows into, through, and out of the company which is why the position has to be independent of Business, Legal, and IT.
The following diagrams show the pitfalls of not having an independent DPO vs. creating an organizational structure with an independent DPO that can implement Privacy by Design.
The green and red examples are not the only way to position the DPO, and there may be other ways to achieve an independent DPO. The Legal Team and IT need to ultimately be enabling the Business and all three have to be aligned around data protection. The point is, if you want Privacy by Design, then you need to find a way to give independent authority to the DPO so that the other three can’t derail the DPO’s mandate. Otherwise, the DPO will be caught in the middle of the three groups, and the company will be the loser.
The DPO Must Know your Data
The IAPP lists the second priority as Data Inventory and Mapping. A lot of IT departments have been in the process of inventorying their data for the purpose of identifying their data assets for additional use in a Big Data environment. I think what may be new with the DPO role is the need to classify data not in terms of technical or business meta data, but in terms of ontology.
The DPO will need to find a scalable way to rationalize legitimate processing from non-legitimate processing before privacy can be enforced in the DEN. Classifying data based on the nature of the data and the purpose of its processing will need to be done alongside the data inventory and mapping. In my previous post “Modifying the GDPR”, I discuss the difference between Primary Data and Secondary Data and suggest that this is the starting point for an ontological classification of personal data usage.
The DPO – Beyond Compliance
Most of the work being done for GDPR privacy preparations at this point is probably better labeled as Privacy as an Afterthought. Going beyond May 25, the DPO needs to influence the company culture to move privacy into the business planning stage. Privacy that enables companies to use Secondary Data will need to be part of the corporate strategy. The DPO should be sitting at the table with the strategy team. It only makes sense that with the central role data plays in IoT, automation, and AI, that the DPO becomes a thought leader that drives new revenue while respecting your customer’s privacy rights.
Some of you are saying to yourselves “this guy just blew his credibility as a privacy advocate, privacy and business shouldn’t mix”(Article 38#6). In response, I would suggest that unless privacy moves beyond compliance and is seen as both a foundational right and as a strategic asset, privacy could become a back office checklist to be ignored or worked around. I would rather have a DPO sitting at the table changing the mindset around privacy than for privacy to be forgotten after the GDPR anxiety passes.
Beyond changing the business mindset, privacy needs to be inserted into the design process. The DPO will need to insert data privacy into the Dev/Sec/Ops cycle. Data driven companies in the middle of digital transformation have to become data centric and as such, must start with data Privacy by Design. The DPO will need to forge the path to Sec/Priv-Dev/Ops to ensure that privacy starts before development begins.
Who is ready for GDPR?
Well, this was probably a review for you because you have had your DPO in place for a long time, and they have implemented privacy by design beyond just good faith. You know what the DPO should be doing and are ready for May 25th. The rest of us should probably review those GDPR Enforcement Priorities.