Many companies spent considerable time and resources in the run up to May 2018 on adapting their systems and processes toward GDPR compliance. Four years later, were all these changes necessary? Where should controllers have gone further from the outset? And what should change given the abundant post-2018 guidance and enforcement from DPAs? This panel will examine how data protection professionals are adapting to the GDPR’s changing compliance requirements.

 

Transcription

Robert Bateman:

Hello, and welcome to PrivSec Focus, GDPR Four Years On. I’m your host, Robert Bateman, head of content here at GRC World Forums. Now, it’s an absolute pleasure to be presenting this livestream experience to you all today. We’ve brought together thought leaders and industry professionals with a wealth of knowledge on the general data protection regulation. Now, the GDPR passed, in 2016 of course, and became enforceable four years ago today. And since then, attitudes towards data protection and privacy have been transformed both within organizations and throughout wider society. But many challenges and uncertainties remain.

On behalf of PrivSec and GRC World Forums, I’d like to thank our premium sponsor today, OneTrust. To learn more about OneTrust, just head over to the menu bar on your left, and you can visit their page for some exclusive content. You can access all of today’s sessions by visiting the left hand menu and viewing the agenda. It’s also possible to view live discussions on demand after the event, once you’ve registered for your chosen sessions.

Now, before we kick off with our first session of today, I’d just like to let you know about some of the other events we have coming up here at GRC World Forums. Today, to mark the fourth anniversary of the GDPR taking effect, we’re announcing the PICCASO Privacy Awards. This event will recognize the people making an outstanding contribution to this dynamic and fast growing sector, from the professionals ensuring their companies meet the very complex legal demands to the academics and engineers pushing privacy thought leadership and innovative privacy protections forwards. We’re developing this awards program in partnership with Privacy Culture Limited and PICCASO, which is a nonprofit organization that aims to help the privacy industry grow in maturity and capability. Nominations for the awards close on the 26th of August this year. And the ceremony will be held in London on the 8th of December. Do check this out. It’s a very exciting project. Visit piccasoprivacyawards.com. Picasso, in this case is spelled P-I-C-C-A-S-O.

Now, in less than two weeks time on the 7th and 8th of June, we’re holding the first event in our Digital Trust Europe series. PrivSec World Forum will be one of several stages at the event. That’s the 7th to 8th of June in London, and then further dates in Dublin and Amsterdam are also confirmed. Our quarterly two-day virtual event, PrivSec Global is also coming up on the 29th and 30th of June. And in November on the 16th and 17th we’ll hold one of our largest events at the year, a two-day in-person expo called Hashtag Risk at the ExCel in London. To find out more about all these events, just visit our website, grcworldforums.com. We’ve got a lot going on this year.

So now, let’s go onto our first panel of the day, reviewing your GDPR compliance program. And the host for this session is Stewart Room, who’s partner and global head of data protection and cybersecurity at DWF Law over to you Stewart.

Stewart Room:

Thanks ever so much, Robert. And it’s great to see you. Fantastic intros again. We’ve got so much coming up on the agenda. So, keep in touch with GRC World Forums, loads, and loads of good things to be involved with. So, Four Years On, 1,460 days, 35,040 hours living the dream of data protection. So, in that timeframe, things will have changed. The tools that we use with our programs, the priorities that we focus upon, the drivers and momentum for what we’re doing will have changed substantially. Curve balls coming from the left, from the right, and not just what Mr. Schrems is doing. So, without further ado, going to bring in our panelists. We’re one person down today, unfortunately, due to illness. But we’ve got two great panelists with us. So, can we bring in Enrique Angulo from Yorkshire Building Society, and Bradley Tosso from the Gibraltar Regulatory Authority. Hello, chaps.

Enrique Angulo:

Hello Stewart. Hello.

Bradley Tosso:

Good afternoon.

Stewart Room:

Great to see you both.

Bradley Tosso:

[inaudible 00:06:06].

Stewart Room:

Let’s do some quick intros. So Enrique, can you tell everyone a little bit about yourself, what you do, what your background is, and of course your interest in all worlds to do with data protection compliance programs?

Enrique Angulo:

Absolutely. My background is in program and project management. I’ve been doing that for over 20 years and delivering transformations in IT, business, and digital. About 2016, I was running a security program for [inaudible 00:06:41]. And they came and said, “Right, Enrique, you’ve delivered this program. There’s something called the GDPR coming along. It’s a compliance program. Do you mind having a look at it and delivering?” And that’s the first time I heard about it. And then, when I came into that program, I started getting myself immersed in all the data privacy and all this GDP. I saw that it wasn’t just a simple checklist compliant. It was much bigger than that. I became really, really passionate about it. So, I said, “Well, I’m not only going to deliver this, I’m really going to become an SME. And I’m going to really get under the skin of this regulation.” So, I’ve now since then, I’ve deliver programs for several clients in various industries. So yeah, my latest one is in Yorkshire Building Society, which is a financial service institution.

Stewart Room:

Fantastic, Enrique. What an amazing track record experience. I think it’s really interesting that you’ve got this prior transformational experience and you’ve come into data protection with that set of skillset. Obviously, it goes to programmatic performance. So. Going to be really interesting what you’ve got to say, Bradley, how are you? It’s been a while my friend.

Bradley Tosso:

Hi, good afternoon. it’s a pleasure to be back on the show with you. In terms of who I am, well, I am the director for information rights and operations at the Gibralter Regulatory Authority, which is the, in effect, the Information Commissioners Office in Gibralter. I lead the data protection team. And even though we are a small authority, we are at the forefront, let’s say, of data protection developments. We adopted the GDPR in accordance with the EU law. We’ve kept the GDPR post Brexit. And our authority takes part in many international efforts to make sure that we are able to participate in the global discussion and a global collaboration towards obviously improving data protection standards and practice.

In terms of my background, I have 15 years experience in compliance, which combines private and public sector. And in that sense, I’ve also worked in different regulatory fields where I started in online gambling and worked, again, in different jurisdictions, both in Gibraltar with an input into the UK regime, or oversights over the UK regime, and then started working in the private sector for a significant play in the online gambling field, where I worked and had responsibility over regulations in Spain. Furthermore, in terms of my skillset, I have a legal background, but also a background in terms of business and computing. So, it’s a range of, let’s say, academic, at least credentials, that have driven me down the path of data protection.

Stewart Room:

Oh, fantastic, Bradley. Well, feels like you’ve got all bases covered. So, we’re going to be in for a real treat here. And we draw on so much expertise beyond just the regulatory, but actually your business expertise and delivering this in practice and the legal stuff as well. So, thanks again, gents. So, let’s crack on. If we go back a few years, so think about the… I mean, Enrique, whether you were in the zone at this moment in time, but the GDPR was proposed in 2012, and we know it was adopted in 2016. In that four-year period, data protection, it wasn’t a massive thing. And where it did operate, it was mainly around legal advisory processes and the paper layer of data protection, so contracts, and policies, and back of the envelope data maps. There wasn’t much more to it than that.

And then, we get into the readiness years of the GDPR, 2016 to 2018. And businesses and other organizations then had to spin up transformation programs. And again, when I was consulting in that, in that area and looking in, many organizations weren’t that sophisticated in terms of the tooling that was required, the methodologies that were needed, and really the true understanding that we would need to deliver business transformation all the way into the technology and data themselves. So, the first point here is four years on, and when we’re looking at GDPR programs, really what is the sense of play about the tooling that we need, the methodologies, and how things may have changed, or indeed the thinking that people have around these things?

Enrique Angulo:

Yeah. I can take this whenever you want, Stewart.

Stewart Room:

Yeah, please Enrique.

Enrique Angulo:

Well, as you mentioned, Stewart, I think when organizations started to prepare for 2018, there wasn’t much sophistication. And a lot of the approaches, well, how do we dealt with previous compliance? And as you say, is it probably filling a form, get a checklist, save those documents somewhere, and that’s it. And pretty much, I mean, I think the tools at that time, weren’t very sophisticated, were very almost like fancy spreadsheets or fancy documents, but there wasn’t really anything clever. I think, with sign, organizations have realized that it’s not just about a checklist or just storage of documentations, and it is about a whole change program and a change deliverable. And there’s, therefore, the requirements are far bigger, and the tools have now developed significantly and are able to really support that bridge between the compliance, and the legal functions, and the business in order to actually start behaving in those ways.

And I just think at now four years on, there is really no justification for an organization, for a middle, large size organization, not to actually invest on a tooling, whether that’s OneTrust, TruSTART, or any of the other ones. For the advantage that those tooling really bring to the organization, it is really a no brainer. And they are now really well developed, and actually, as we’ll discuss later, going into other areas which are adding more value.

Stewart Room:

Fantastic, Enrique, great overview. So Bradley, going to bring you in on this to expand a bit further. Also, as we’re looking at the changing nature of the tool sets that we require, and we can look at that in many different ways from methodology three to actual GRC platforms, such as the ones Enrique was mentioning towards the end. The whole spectrum of tooling and what’s needed, and our thinking about it, where are regulators on this now? Are they expecting more sophistication? Where are they driving it?

Bradley Tosso:

Right. I think I start off with a point that Enrique made, that obviously now there’s no excuse, shall we say, for you not to have measures in place, obviously, in keeping with your organization, the relevant risks, and so on. In that sense, there may be a little bit less flexibility, so to speak. Now, in terms of where we were four years ago, where we are now, just to highlight how things have changed. Four years ago, data protection, especially in the context of the DPO breach notifications, DPAAs, and so on, was new to many. Now, those measures are embedded in those organizations. We have to recognize that there’s been a very much a significant shift in terms of practice.

That said, the risks evolve, and that is part and parcel of data protection and the flexibility, right? We are now considering or using different technologies. And therefore, even though things have improved, it doesn’t mean that the risks stay the same. For example, now we’re considering, or many organizations are using, or maybe looking to use AI. Does the use, potential use of, or increased potential use for biometrics, facial recognition, fingerprint scanners, and so on. There’s great availability in terms of the use of the cloud, VTCs e-learning, and so on. So, increasingly the situation is that there are more and more technological products on services out there, which rely heavily on the processing of data. So, it’s not necessarily that the tools need to change, but the tools will increasingly continue to evolve. And let’s say, sorry, evolve and become more sophisticated.

And in this sense, I mean, I’m talking about the DPAAs, the resource of the DPO. Maybe today, because of the data protection risks, you may only need a team, a DPO with a team of one or two individuals. As technology evolves, and as your use of technology, grows with it, your DPO resource may also need to develop. In that sense, I think accountability is key in the sense, in terms of bridge notifications, DPAAs, the DPO resource, and so on. So, that’s no longer new, it’s embedded.

But in terms of what how things are changing, what is changing is the landscape around us. And we need to continue changing and evolving in line with those developments and risks in relation to the appetite, let’s say, or the view of regulators. The perspective, like Enrique touched upon earlier, four years ago, there may have been, let’s say, a little bit more of a understanding in terms of transition. That’s no longer applied.

I would also add that’s what you will see, or what you are probably seeing is increased collaboration across the globe in terms of data protection regulators cooperating to deal with global issues. And you don’t only see that this only in the context of the EDPB, you’ve also seen this in the context that recently of the ICO and the Australian DPA working together in relation to Clearview. So, the key point, I think, to also add is that regulators are increasingly collaborating internationally, and that practice is likely to gather momentum over the next few years.

Stewart Room:

Well, let’s pick that back up in a moment, Bradley, about where the momentums and drivers are coming from. But essentially, in terms of the tooling that we may use, your central proposition is that it was there in 2018, it’s evolving. And as we are evolving our data processing activities, be more cognizant of the need for tools to get us through the compliance agenda that wraps around it. But essentially, they’re there they’ve been present. We just probably need to adopt them and use them better, more efficiently perhaps.

Let’s go into the next issue about priorities, though. I think this might be quite interesting to people. Again, if we look at this GDPR readiness era, 2016 to 2018, I mean, the experience that I had, and at that time I was essentially consulting around this in a big four environment, is that I saw two kinds of entities. There were entities that were taking a programmatic approach in the sense of you transform businesses in the following manner. And then, there were entities that were essentially taking a legal compliance approach, which is the GDPR list a whole bunch of outcomes. And we would just plow our way through them and try and get as many of them ticked off before the end of the two-year resonance period. So, for a lot of organizations, the priorities were, for example, I need a DPIA. For example, I need a data map. For example, I need to appoint a DPO. And these things were very much anchored into the specific requirements of the legislation.

If we now look at GDPR live, it’s had a four year live environment, and we start to understand that all of those things, like Article 30 and Article 25, need to append themselves to context and scenarios that are important, where have we got to now in terms of perceptions of priorities for these GDPR programs? Are the priorities data mapping, or are the priorities, for example, more thematic? We’re worried about children. We’re worried about the growth of AI. We’re worried about the curve balls that come from the CJEU. What about priorities, Enrique? Where do you think we are in terms of priority shift, if anywhere?

Enrique Angulo:

Yeah. Well, I mean, one of the things that you mention is, yeah, I think people were worried about, or their priorities were ticking those things saying, “Right. Do we have a [inaudible 00:21:31]? Yeah. Do we have a DPIH template? Yes. Okay, great. We’re compliant.” And then, but what’s going to happen in a month’s time? What’s going to happen in a year’s time? And there were many, many situations. I’ve gone into many companies that had been under third iteration trying to say, “Okay, you know what? We were compliant a year ago, but we are now everything seems to now falling apart. What’s going on?” They have never actually implemented the change. They have never actually introduced those privacy processes into the BAU processes.

So, the priorities suddenly shift saying, “Oh right, okay. So, we can’t actually be compliant just by having a DPO and a data protection function. No, we need now to work with the business and the business needs to work with us. And we need to make sure that they are feeding us the information, that when we are actually requesting something they know what to do, they know where to go.” So, it’s more a push from the business rather than having a central function pooling. So, that’s what I mean about a privacy culture, embedding a privacy culture. So, that’s where I think the shift has gone.

Also, although the thematics that you mention about AI and children coding and all that, that’s probably hasn’t changed the underlying principle that you need to have those capabilities in your business. This is now actually testing you and saying, why? You now need to look at how to implement AI, or what to do with AI. What to do if you are selling to children. If you are a coder, and you develop product for children, there’s some guidelines. But it’s not changing the principles. It’s just actually testing your principles in new areas that it is expected that this is just going to evolve all the time.

Stewart Room:

Essentially, Enrique, I’m going to change the question for you Bradley slightly, but essentially your point is that what we actually need to deliver in terms of living and breathing data protection from our programs by itself would adapt into context. So if context shifts, we should be ready, through our program, to absorb the change and be agile. And so, Bradley, we think about that hook and coming into your thinking.

Here’s my run up to this about priorities and also the ability of programs to be agile. We take just a two-year window from beginning of 2020 to the beginning of 2022. I remember at the very beginning of 2020, the January time, we had a huge amount of panic around AFR, automated facial recognition, and the satellite area of AI. And then, from March, we went into an emergency public health situation, which created two data protection real issues, virus controls, so contact tracing, et cetera, social tracing, and WFH, work from home. So then, we went into an emergency period. And now, it seems that what’s going on over the past few months is becoming a more legalistic in focus, how we’re going to get our TRAs done? How we’re going to get our new mobile clauses in place? So you see that shift in focus, hard technology, public emergency, legalistic again. What do you think about priorities and the ability for programs to deal with change?

Bradley Tosso:

Okay. I think, so the way that regulatory priorities adapted, and actually the whole world, adapted to the pandemic, I think it’s a strength of everyone that we were able to pull together and focus on this. You are right in saying that regulators were able to, obviously, let’s say, collectively work globally on this topic where we all contributed our collective knowledge and experience and resource via the Global Privacy Assembly platform. And this was a living document, where you saw different regulators contribute to, let’s say, the safe use of data in the context of the pandemic. So, in some ways, obviously a lot of resource was actually directed to this area, which means that other areas which had already been highlighted, let’s say, were placed on the back burner to an extent, obviously you’ll continue working on it. And that is an example, for example, when we focus on or consider adtech, the ICO did publish a report, a very detailed report, on the sector, but obviously other events took priority.

I think it’s important for organizations to always be alert to the priorities of regulators. In this sense, obviously we’ve seen, again, let’s looking at the EU context, we’ve seen an opinion or guidance being published in relation to facial recognition. That’s always been there. Obviously, other events may have taken over, but that’s always been there. And now, we see it come back to take center stage, so to speak. So, the discussion on that. There’s also discussion on international data transfers, obviously in relation to recent events. So, organizations need to be alert to those topics. And if you are using facial recognition, if you are transferring data internationally, then you need to respond accordingly.

Now, the underlying measure that’s essential for this is the DPO. From what we are seeing, like I said, four years ago, many organizations didn’t necessarily have a DPO. Now they do. I wouldn’t like to think that we are done with that. The DPO’s resource and the DPO’s position in that organization needs to continue to be strengthened. So in terms of priorities, I actually think that the DPO plays a fundamental role and is, let’s say, a cornerstone of this regime that needs to continue to be a priority. Because, via the DPO, or through the DPO is how many organizations will be able to navigate the complexities that lie ahead.

Stewart Room:

Yeah, I’ve got it, Bradley. Again, it’s a similar point, isn’t it really, to Enrique, which is we need to be situationally aware. We need to be understanding, changing context all the time. But Enrique brought out the idea of the champion. You brought out the idea of the DPO, that you’ve got these anchor players here in the program, and in the context of a program that’s ticking all the bases, will move us through processes, agility into the context that we need to address from time to time. And they change in terms of the themes.

Enrique Angulo:

And Stewart, I know, just remember the GDPI is pretty much a risk, there’s a risk-based approach. So, it depends in which organization you work and what they do. So obviously, if you are an online marketing agency, your adtech, compliant with the adtech is absolutely their must, whether if you are maybe in a security work, it’s around the facial recognition, all that. So, you will obviously have understanding of how exposed you are to some risk and should focus your resource, what your higher risk are.

Stewart Room:

Yeah. I completely agree. I completely agree. Now, let’s take a different angle. We’re getting some really good questions through. We want to spend a bit of time on those. But before we get into those, I want to look at other drivers for programs. It wouldn’t be fair to say that, on the 25th of May 2018, the only show in town that was relevant to the handling of personal data was the GDPR. But it was the only conversation we were having. Four years on, there are question marks about its effectiveness. And Bradley, without any pejoratives at all, there’s questions about the effectiveness of the regulators within that system.

But we also see other owners of data protection now, or the subject matter that seem to be almost exclusively within the GDPR and the regulator zone. So, the ESG agenda is… We weren’t talking about ESG in 2018, and it’s so huge now. And that certainly seemed to encompass at least human rights aspects of data protection. Or the competition side where we’ve seen, in the UK for example, the Competitions and Markets Authority essentially owning the process of development of regulatory focus, scrutiny around the Google privacy sandbox. We’ve got those different things which are owning the agenda. And then, Bradley, the idea of the privacy activists, such as NOYB, NOYB, Max Schrems, having massive regulatory effect. What do we think about these ideas that there are these other drivers for our programs, which are not simply what the GDPR says? And how do we adapt and take account of those within the ongoing improvement of our programs? So Enrique, any thoughts on this? And it may not make a difference, actually. The answer might be the GDPR’s got it all covered again, we’ve just got to be flexible.

Enrique Angulo:

It might be. I think that GDPR has actually touched a lot of the other regulators. So, it is only fair that other regulations or compliance are actually then touching and influencing the GDPR conversation, which is great. I think this is absolutely fantastic. And I think that, for me, one of the things that changed to the drivers is trying to… My approach is trying to use data protection, bring it from a defensive into actually a offensive or value added proposition to the organization.

What do I mean by that? If you really have established a strong program and you have your structure, you have your people, you have your governance there, then you are really starting to maximize the use of data. So, you can start expanding on that, because you know what data you’re using, you know where you have it, you know where the security features are. You can now start exploring, actually, and expanding into the wider data management and data governance aspect, and really bringing more value to the organization. A lot of those other programs, the ESG, you mentioned, for example, they should be feeding them. One of their feeds is what we have put in place in data protection. So, you need to make sure that you’re… Where do you get your data from? What’s the quality of your data for your ESG, the social aspect? Well, I mean, how do you are actually collecting the ethnicity information or sensitive information, and how you’re managing that? So, all those things are just simply building on your strengths of your GDPR program.

Stewart Room:

Yeah. I’ve got it. So, Bradley, what do you think then? I mean, where Enrique’s going, it’s the same point that a well-designed, flexible, pragmatic, properly managed GDPR program is going to capture these other drivers anyway. But what’s your take on all of this? Do you think that’s correct? Or could it be that some of these new drivers are going to fundamentally alter how we’re going to go about our dealing with our programs? And here’s a question that’s come in, Bradley, maybe you could pick it up, from one of the viewers here. Should our priority also involve the review of ethical use of data? That’s part of the ESG agenda here. So, is ethics part of the GDPR? And if not, is it something that needs to be brought into scope? So, over to you. Big question.

Bradley Tosso:

Okay. Yes. I’ll try and answer it to the best of my ability. Right. Okay. If we take a step back, four years ago, obviously discussion centered or focused on GDPR or a large part of that discussion. Now, when that discussion was happening, a lot of the headlines, so to speak, focused on the fines. I think we can all agree on that. Now, the fines at that time, obviously, for whatever reason, I suppose it’s the easier way to explain the change in a tangible way, right? The fines are there to dissuade compliance. And obviously it was a key driver to highlight the change that was coming. The fines will remain. And in that context, I think it’s important to note that in the past, or in recent months and the past year, there’s been a significant surge on acceleration in terms of enforcement.

Stewart Room:

I agree.

Bradley Tosso:

However, I think that over the past few years, consumer expectations have changed through awareness raising, for example, which has also led to, let’s say, greater empowerment for individuals. Because their expectations have changed, they are demanding more from organizations, right?

Stewart Room:

Right.

Bradley Tosso:

And this, I think, from what we see, this has been illustrated by a surge in the number of complaints. And other DPAs will also say the same thing. So, we’ve moved from a situation, moved into, sorry, a scenario where I think privacy and data protection is being valued and acknowledged by the consumer, and therefore they expect more from organizations. And so, trust and reputation is increasingly becoming a key driver as a result. Because, there’s a change in attitude and behavior from individuals. And therefore, this, I think, will increasingly become a key driver alongside the fines. The fines will, I don’t think, go away. That’s a key driver. But I think the element of trust and reputation will increasingly become important as we move forward.

Now, in terms of how data protection is, let’s say, overlapping, or let’s say engaging with other areas in law. Again, if we consider the context, this actually makes sense. Because, whereas 10, 15 years ago, some businesses, some sectors, were not heavily reliant on data and processed very little data. Now, they process vast amounts of data, because of the way that technology has evolved and the opportunities that have come with it. So therefore, data, whereas before didn’t form part of the conversation, or was, let’s say, backstage, now it’s center stage. And data has become an important part of the conversation. And that is why data protection and data protection regulators are increasingly collaborating, incorporating with other sectorial regulators, because of the importance of data.

Does this mean that the focus will change? I don’t think it will necessarily change. But it just highlights how the context has changed, where data position was previously backstage, now it’s center stage. And now, with any new emerging law, data protection becomes part of that conversation. And just to reflect how, or just to illustrate how that has changed is that you are increasingly seeing MOUs between the data protection regulator and the other sectoral regulators. We have done the same locally, where we are in ongoing discussion with the financial services regulator, but we also have an MOU with the Gambling Commissioner. So, I think that will increasingly become the case and the norm, so to speak, because of how the context has changed.

Stewart Room:

Perhaps we-

Bradley Tosso:

The final thing-

Stewart Room:

Go ahead, Bradley.

Bradley Tosso:

… in terms of the ESG agenda, I think it complements data protection and privacy, because the focus is on sustainability and governance. And governance and data protection is very important. And in terms of how ethics comes into it, and I think there’s a nice overlap with fairness, with the principle of fairness. So I think again, there’s overlap and there’s an element of different regimes complimenting each other.

Stewart Room:

Yeah. Bradley, I mean, just take some of these points in reverse, all but the two major ones. I mean, we’ve always got this challenge, the difference between law and ethics. But the Data Protection Regime is a regime that reflects fundamental rights and freedoms, which essentially reflects our ethical points of view. And then, it gets codified into regulation. It’s a classic merger of ethics and law on one page, as it were. Well, it’s obviously many more than one page.

On your other substantive point here, I mean, it’s the centrality, isn’t it, of what we’re talking about, which is the GDPR is essentially a law that is representative of the human condition, the human experience. It’s about us. It’s about human beings. We’re intentionally fascinating to all other areas of law because humans regulate the humans. So, there is no surprise that, in a modern digital environment, the ESG agenda could own data protection, as it were, the use of personal data in a technological context, same way as GDPR. I think you’ve absolutely nailed it. It’s this centrality of essentially the focus on the human being, which puts it in every container you could ever find. And we obviously see that on employment law all the time. DSARs become a focus of employment disputes, it’s all there.

Let me just pick up some questions from the viewers. We’ve got some good questions here, some real practical ones, and we’re in the last 10 minutes. Enrique, with respect to day-to-day operations, okay?

Enrique Angulo:

Right.

Stewart Room:

Any thoughts on the integration of the data protection requirements into multiple systems? What I think that the viewer is asking is, how do we get the data protection principles of the GDPR paper and literally inside these multiple systems around us, and make that work in the daily basis? So. How do we get it into the tin?

Enrique Angulo:

Yes. All right. Let me start by just saying a lot of organizations just get very excited from the start and say, “All right, what we’re going to do is we’re going to throw a lot of technology solutions here, and we want integrate everything, and we want to…” And usually, those programs are so big that they never really come to fruition. They take too long. So, what you really need to start looking is at, what are the processes that are already in your businesses that you can tap into? And that is the best way you can start embedding your data protection processes into the BAU. Once you start then using what is already there, then you build on top of that.

As you mature as an organization, you can then start optimizing that by integrating, maybe using automated data discovery, and all that. But what I say is don’t focus on the all let’s throw a whole new toys and gadgets into this, because it’s going to make us compliant. That usually do not work. Start with what you got, build from there. And you will see that, once you start, it’s better just to use an existing one and then do a process. And then, that prompts a data protection trigger than having to overlay an additional process with a data protection into another area. That usually creates a, “Oh right, this is additional workload.” But if you are already doing something, and I just have to ask a data protection question, that is much easier for the business to actually implement into the day-to-day operation.

Stewart Room:

Yeah. Enrique, I was actually thinking maybe the answer is, to this poor viewer, very astute viewer, is it’s just easier said than done, really. Because at the end of the day, when you look at the domain of the business from the top layer of people through to the paper layer, the technology and data layer, and then you’ve got the physical layer, the bigger you get, the harder this is to do, isn’t it? Let me bring in Bradley. I think this is an okay question to put to a regulator. Because, I think this is the issue that you basically have to balance out every day. It’s come from one of the viewers here. Is full compliance possible with the GDPR, full compliance with the GDPR, is that possible? And the viewers put, particularly considering trends too, which I think may be about, at the end of the day, we can’t net off some of the EDP requirements with the actual situation on the ground in the US at the moment. As a regulator, you must be faced with this all the time. So, what’s your perspectives on that?

Bradley Tosso:

Right. I think, as an idea, you want to aim for full compliance. But obviously in practice, that is going to be very, very, very hard. Because, even if you are fully compliant today, if the circumstances around you change, then tomorrow you may not be fully compliant, just because you’ve tweaked the way you do things. The point that Enrique touched on before previously, and in terms of tools, a computer or tool is only as good as the person using it. So, it’s not just a matter of buying a computer or tool. In terms of prioritizing and focusing on compliance, what we try and always focus on is that, look, it’s about risk. Try and identify, first of all, the higher risk areas of your organization, focus on those, and then work onto the other areas.

Two simple tips on how to do that are first of all, focus on the data that’s more sensitive, for example, the special categories of data, criminal data. Work on those, and then move on to the others. That’s just an indicator. But then, the other in indicator is work on the volume. What is the largest volume of data, what data sets? We work on that. And then you move onto the other areas. And if you adopt that approach and you can at least demonstrate to a regulator that you are working towards something that even, if a breach is identified, serves to work as a mitigating effect. Let’s not forget that the vast amount of cases, so to speak, don’t end up with a fine. Obviously, in those cases, that is where the organization demonstrates that they’re trying to comply or otherwise implementing corrective measures. And I think that’s a key point. Finally, in terms of how to embed it, think of privacy by default, by design, try and involve the data protection officer as soon as possible when you’re actually coming up with a new tool or system.

Stewart Room:

Fantastic, Bradley. No, I completely agree. I mean, even the latest EDP guidelines on the ministry fines point to this dilemma that we’ve got. And it is a dilemma that we’ve got a huge amount to achieve. But there are things that potentially have bigger impacts than others. And it is really important, that last point that you stress, which is, yes, I mean, how many data protection issues do the regulators deal with globally around the many… Almost countless. And yet, how many turn into these real… The regulator is going to have to use all of the deterrent, and discordinate, and discipline mechanisms. And it’s proportionately very, very few, which tends to suggest that the regulatory system is being balanced. Some people may argue the balance is not in the right way, but that’s a different point. But there is balance there.

So, gents, we’ve got two minutes left. That is it. Can’t go further than this, because we’ve got amazing people coming on next. So, you’ve got like 40 seconds each, every K, everyone in the audience here, four years on, looking at your program, what should they go and do, take back to keep it relevant and fresh?

Enrique Angulo:

Right. So, especially with now with all so many international regulators coming out, I think you need to build a strong framework that is going to be your guideline for your organization, but make that framework also flexible, so they can adapt to local variations. That is the key when you are dealing with multinational organizations from here onwards.

Stewart Room:

Fantastic, Enrique. Topped it. Bradley, a few seconds for you, sir.

Bradley Tosso:

Yes, building on what Enrique said, I think organizations need to understand that, if you’re going to be successful in the digital economy, you need to build your reputation and protect your reputation, build that trust. That’s a prerequisite, I think, to be successful going forward. Otherwise, you’ll see the value of your brand, your company, being impacted by that. As part of how to do that, I think again, focus on the DPO and make sure you engage with the data protection committee.

Stewart Room:

Fantastic, Bradley. Excellent tips as well. So, gentlemen, can I thank you ever so much for your participating today, your great ideas, your wisdom, and sharing your experience. It’s been really valuable. I’ve learned a lot. I’m sure all of the viewers have as well. We’re going to pass back now on time to Rob, who will be able to take the sessions forward. Rob back to you, sir.

Robert Bateman:

Thanks so much Stewart. Great job. Wonderful discussion there. Really a privilege to have the insights of such experts, professionals. It’s fascinating how the different attitudes from organizations at the beginning of the implementation period have translated as time has gone on. And a good discussion there about whether full compliance is really possible, or whether it’s something to always be working towards with all the changes that are happening every day in this field. Up next, in 10 minutes time, we have a session sponsored by OneTrust, GDPR, Four Years On. And that will be with the principal solutions engineer over at OneTrust. Well worth watching that. So, please join us back here at 1:00 PM, UK time, in 10 minutes.

PrivSec World Forum    
Park Plaza Westminster Bridge, London: 7-8 June 2022

PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe   series. 

PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.

The event is a must-attend for data protection, privacy and security professionals who are keen to network, learn more, discuss and add expertise to how these sectors are interconnected.

FIND OUT MORE & REGISTER TODAY!

PrivSec World Forum

Reviewing Your GDPR Compliance Program