Over two years on from GDPR introduction and organizations still see accountability as a strain, but there are ways to turn compliance into an operational advantage. Compliance is far from a one-off issue and as new measures are introduced globally, regulation should be approached differently to locate efficiencies, expresses, Philip Dutton, co-founder, Solidatus.
Just two short years ago, GDPR was born and blasted a wind of unprecedented change upon organizations. It ushered in a new era of enhanced data protections – or that was the intention. Instead, in many cases, it has been treated largely as a box-ticking exercise, pushing the complex and delicate matter of compliance to be performed with a certain level of resignation. However, turning disruptions into assets is key to organizations’ success stories: it was also an opportunity to appropriate mandatory budget to redesign and heighten their data management capabilities in innovative ways.
In January this year, research published by MicrosoftOpens a new window , conducted by the Ponemon Institute found that, despite an increasing wave of cloud adoption, most organizations believe they lack the necessary control and visibility to manage data privacy. The survey of 1,049 international IT professionals showed that 53% of US, and 60% of EU respondents, are still not confident that their organization currently meets their privacy and data protection requirements, whilst just 29% say their organization has a 360-degree visibility of the confidential data collected, processed and stored. Two years on, and the issue of compliance in the age of the cloud is still very much a confusing one.
Learn More: How to Manage Customer Data After GDPROpens a new window
This Missed Opportunity
This missed opportunity to truly embed clarity on data management within organizations is not only missing the intent of GDPR, it is also proving costly. GDPR compelled organizations’ expenditure while also encouraging a number of other jurisdictions to expedite similar regulations. It now has siblings all over the world such as the California Consumer Protection Act (CCPA), the Brazilian General Data Protection Law (LGPD), the Personal Data Protection Act 2012 (PDPA), the New York Privacy Act, the India Data Protection or the Malta Data Protection to name just a few. What happens to organizations with multi-jurisdictional exposure, that then need to ensure they meet a number of different regulations simultaneously? Without properly having a handle on their data protection compliance, surely they are forced to re-spend regulatory budgets over and again, to ensure they are in line?
The answer has been yes, mainly for those organizations employing regulatory-isolated, non-reusable and narrow-focused methodologies. It has been estimated that the cost of compliance to business innovation alone comes to over $10bn. Simply replicating this spend for each new relevant piece of legislation anew brings potentially eyewatering price tags. However, some have instead viewed the expansion of data legislation around the globe as an opportunity to elevate and transform their organizations’ data capabilities. After all, these international regulations often share significant DNA with the elements in GDPR – which set such a high bar, it has been used as a boilerplate for many others. Effectively, once you have a grip on your own GDPR compliance, and you understand the similarities and differences in other regulations, you can often model the points where the business is already covered – and where further, encompassing additions need to be incorporated. But you can only do this if you understand just how GDPR compliance flows through your organization, and in which key areas other measures may differ in implementation.
To put this in context, with over 40 million customers operating in over 60 countries and territories, our key banking client faced an ever-increasing regulatory environment demanding priority over necessary fundamental business change. For data, this meant that a material shift was required to consider regulations upfront along with the data supply chain, including the individuals who use it and the purpose for which it is used. Their existing global data sharing framework agreement process was impeding change with a heavily manual, slow and cumbersome process incorporating a minimum of four Word documents, each requiring four authorizing signatures and would take up to four months to be actioned. At the back of these documents lay a chain of manual processes as lawyers applied changes to regulations, with corresponding updates to compliance procedures, which often meant that, once authorizing signatures were obtained, the documents were often out of date.
Instead of jumping through these endless hoops, our self-service solution removed the up to four-month operational bottleneck, by streamlining contractual, legal and regulatory compliance requirements. It is linked to the underlying purposes for which data is shared, the sub-processes related to those purposes and the related data categories. This provides a real-time view of what restrictions apply to existing processes. It covers over 56 countries’ data sharing frameworks and led to the removal of millions of business rules from the process.
Learn More: Data Compliance: 6 Expert Tips on Navigating the U.S. Consumer Privacy LandscapeOpens a new window
Roadmap Ahead
Having a roadmap of data management and compliance flows within internal infrastructures can make these issues crystal clear – while also modelling potential changes to systems and making it easy to spot where pinch points may occur when tweaking established processes. For example, if GDPR evolves, organizations may need to quickly assess how this will impact their own workflows and understand quickly where this could cause problems. Happily, help is at hand without an additional costly price tag. Solutions enable the internal data management map to be aligned to the external regulations, allowing users to view connectivity and impact from any focal point and through any lens. Companies can model how, if processes, systems or policies change, those updates may affect the business ahead of full live implementation.
By checking the plan to change systems and practice in the business we need to assess where the changes can and could be made – when wanting to remove a wall from your house, you’d need to check the plans and make sure that that wall isn’t a structural one thereby making sure it is safe to do so – and so it is in business, this process allows internal infrastructures to safely assess the impact of changes before full rollout. This is much more effective than a ‘captured change’ approach – whereby ‘walls’ are removed and plans updated in a live environment without applying checks on the impact of that change. The upshot of this is, it is much more practical and cautious to model and see potential hurdles at a glance, than to begin roll-out and face unexpected problems – which can in itself bring more issues, as Barclays experienced several years ago when implementing process change in its data center network.
The opportunity to truly embed internal organizational focus on data compliance may be a largely missed one when it comes to GDPR; and its complexity, especially for some of the world’s largest multinationals, is a tricky issue to conclusively grasp. However, that needn’t mean that they need to re-engineer the wheel every time a new layer of local or international regulation is introduced. There is every chance the existing steps taken may already cover most of the regulatory points. Organizations simply need to be able to quickly identify and map where the differences are and focus their efforts accordingly.