Technology’s role in data protection – the missing link in GDPR transformation/PWC
The EU General Data Protection Regulation (GDPR) delivers a fundamental change in how data controllers and data processors handle personal data. Instead of an ‘add-on’ or afterthought within business operations, protections for personal data will now have to be designed into the very fabric of data processing systems, meaning that entities will need to re-examine how they approach the use of technology in their organisations.
European data protection law has always been concerned with how technology operates. Indeed, the first proposals for harmonised, panEuropean laws were a response to technological developments. Legal instruments such as Council of Europe Recommendation 509 on human rights and modern scientific and technological developments (31 Jan. 1968) pinpointed with precision the risks to privacy that were posed by the technology revolution of the 1960s. Data protection laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights and freedoms.
Technology is, in other words, the principal problem that data protection law is trying to solve. As such, it is obvious that, as well as being the problem, technology must provide the solution. If entities are storing too much personal data, for example, technology needs to deliver delete, erase, de-duplication and minimisation functionality.
However, the way that data protection has operated in practice tells a different story and PwC’s experience in this area backs this up: despite technology being both the problem and the solution, technology systems have not been designed and deployed from the perspective of the requirements of data protection law. This is why we see so much debate over the retention and storage of personal data, so much confusion about the nature and whereabouts of personal data and so many technology-related cyber-security failures. From this perspective it might be said that the technology stack has been the missing link in data protection programmes over the years.
The underlying reasons for these issues will no doubt continue to be a source of debate, but one thing is certain: in the new world of the GDPR, where tougher and more penetrative forms of adverse scrutiny are likely, instances of technology failure will be harder to excuse.
2 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
The principal contention of this White Paper is that data controllers and processors who are engaged in the design, build and delivery of GDPR programmes should re-examine and rebalance their priorities, in order to deliver the best possible technology environment for personal data before the GDPR comes into force in May 2018. As part of this rebalancing exercise, they should:
• Critically examine whether they have enough time, space and resources in their programmes to deliver what is required in their technology stacks by May 2018. As part of this process they should consider performing a technology functionality gap analysis, whereby the operational performance of technology is tested against the requirements of (1) the data protection principles, (2) the data subject rights and (3) the programme build requirements described in the GDPR. • Perform a risk and cost-benefit analysis, whereby the operational risks to personal data and the legal and reputational risks to the controller or processor of data protection failure are weighed against the ‘feasibility issues’ associated with delivering technology change, such as the lead time required to source, procure, install and test new technology. Central to this exercise is an understanding of the nature of the technology market and the consensus of professional opinion on what ‘good’ looks like.
‘1995 was a long time ago. In terms of technology, a different age’ Since 1995 ‘the internet has blossomed, social networking has boomed, cloud computing has taken off, and these changes have fuelled an explosion in data process’.
Announcing her vision for EU data protection reform, Viviane Reding, former vice president of the European Commission, said data protection must deal with constant technological change, more so than many other legal areas, and that advances in technology since the 1995 Data Protection Directive had overridden individuals’ rights.
1. Viviane Reding, The overhaul of EU rules on data protection: making the single market work for business, 04.12.2012; 2. Seven basic building blocks for Europe’s privacy reform, 20.03.2012; 3. A data protection compact for Europe, 28.01.2014.
In weighing up the options, controllers and processors should bear in mind that, for the first time, data protection law now contains real incentives for the delivery of technology change. As well as the obvious risk of regulatory enforcement action, including the risk of sizeable financial penalties, there is a new ‘litigation risk’ built into the GDPR, all underpinned by transparency mechanisms that will shine a spotlight on what is actually happening to personal data, including when security fails.
Conversely, there are also significant gains to be made from taking a ‘good’ approach to the technology issues. Issues such as efficiency and productivity gains are not new to data protection, but we are also now seeing a stronger focus on data protection in B2B procurement and contractual processes. Businesses and their contracting partners are starting to ask more penetrative questions about technology, meaning entities with a good story to tell will perform better in a competitive market. Likewise, consumers will increasingly factor-in data protection issues when choosing where to place their business.