Operationalizing Privacy-by-Design: The Case for Data-driven GDPR Compliance
On June 22, 2018 at 11 AM EDT / 5 PM CEST, in conjunction with guests from IBM, DLA Piper, the EU Commission, and the French regulator CNIL, BigID will be hosting an online discussion of how technology can help automate GDPR compliance (https://bigid.com/webinar-gdprcompliance/).
As we approach the May 25th, 2018 GDPR enforcement date, many companies will promise solutions to meet the GDPR’s detailed and intricate requirements but only a handful, BigID among them, believe it will never be feasible to deliver on the spirit or letter of the regulation without taking a data-driven approach to compliance. The standard operating practice, when confronted with a new set of regulations, is to focus on the processes and legal language. However, it’s important to remember that the D in GDPR stands for Data and the P stands for Protection. GDPR is not a Talmudic exercise in theoretical privacy. At its core, it is is a regulation about the integrity of a measurable thing: a person’s data. This requires knowledge about that person’s data, which requires a data-driven approach to compliance.
Complying with a regulation governing the use and ownership of data will never be scalable and automated without first accounting for that data, tracking its usage, and demonstrating conformance with policy. Privacy process does matter but privacy will never be a verifiable and measurable pursuit without corresponding product to ensure compliance.
This new perspective on privacy compliance as something beyond policy and process is perhaps nowhere better exemplified than through the new GDPR imperative of privacy-by-design.
Getting to Privacy-by-Design
The EU GDPR reinforces the concepts of privacy-by-design and privacy-by-default as core operational precepts which require organizations to consider privacy protection from a project’s initial conception through full operation. But how do you achieve privacy-by-design when the organization accountable for privacy compliance does not directly own the creation and administration of a new IT initiative?
For too long, the Privacy function in most organizations set down privacy policies and processes for IT projects but lacked effective technology product to ensure either compliance with internal rules or external regulations. Compliance without measurement is mere estimation without effective product to measure actual behavior and conformance to policy and prescribed process. When IT looks to measure application uptime and performance they don’t use questionnaires and there is no compelling reason to settle for anything less when it comes to data privacy or data protection.
The D in GDPR is for Data
What’s sometimes amusing when discussing GDPR with attorneys is the abstraction of personal data from the actual IT object. Data, of course, is not some esoteric thing: it’s a precise and quantifiable unit of information that is stored and processed electronically. When the EU first started debating the replacement of the previous data protection directive, it was for the purpose of being more exact about what was to be protected and to be more exacting about the consequence for failing to do so.
The EU GDPR is, first and foremost, a regulation about data and so compliance will never be possible in an operational, privacy-by-design way while being ignorant of the data. Estimating data location through surveys is not much better than navigating to North America using a 10th century map. It’s inexact at best, untrustworthy at worst.
To effectively protect personal data belonging to consumers requires knowledge of that data: it’s location, lineage, access, ownership etc. Data can’t be protected unless the subject of the protection is first known.
Data-driven People Privacy Compliance
GDPR is very specific about a whole host of obligations, from data subject rights to data access, portability and erasure, through consent parameters and pseudonymization to give some examples.
All these obligations require an intricate deepening knowledge of the personal data that an organization collects and processes. They require an IT-like operationalization of how data privacy is protected: anchored-in, up-to-date intelligence on the data being collected and processed.
BigID is at the forefront of next generation companies that deliver Big Data like intelligence around personal data without any need to build a data warehouse. The Webinar on June 22nd will look at the role companies like BigID can play in both automating GDPR compliance and delivering consumers true data-driven safeguards for their data.