Maren Winter - stock.adobe.com

No real change a year into GDPR, says privacy expert

A year after the GDPR compliance deadline, many organisations still have a lot of work to do to make real changes and shift focus away from fines to business value and gain, says PwC’s GDPR and data protection lead

Data protection is arguably no further forward than it was a year ago in any material sense, according to Stewart Room, lead partner for the General Data Protection Regulation (GDPR) and data protection at PricewaterhouseCoopers (PwC).

“The programmes of ‘privacy maturity uplift’ work that we are being asked to support, a year after all that was meant to have been completed in preparation for GDPR, indicate that there is still a long, long way to go,” he told Computer Weekly.

There are several reasons for this, said Room, starting with a failure by many organisations to transition from their GDPR preparatory programme to business as usual (BAU), where all GDPR-related roles are filled, GDPR-related processes have been implemented at scale, and data protection outcomes are being delivered in the technology and data layers of the business.

“PwC’s vision for data privacy is about how to deliver data protection outcomes inside the data and within the technology itself. It’s about how you make data protection real in tech and data,” said Room.

PwC was highlighting this failure six months into GDPR, saying that it was crucial for organisations to make the key “journey to code” as part of GDPR compliance work.

“Data accuracy, for example, is one of the data protection principles enshrined in the GDPR, but you cannot deliver data accuracy without having some code-based outcome. You can’t deliver accurate electronic data in a non-tech way,” Room said at the time.

Six months later, he said many organisations are still not delivering the necessary change in this regard. “Speaking to chief data architects in big businesses, as well as heads of data functions, I am getting real confirmation from people who are in charge of data itself that they are not involved in the design of data processing systems in a meaningful sense,” he said.

As a result, Room said the people who have the greatest understanding and knowledge of the science of data and how to treat, manage and use data, are not engaged in the design and building of processing applications.

“This is a very significant thing to understand, because if essentially we are saying that for whatever reason the expert on data itself is disenfranchised from data privacy systems or whatever it is, how is it ever going to get better? How do we actually accelerate what data privacy is about?”

Window dressing data privacy

Room believes that one of the key reasons there has not been an “appreciable movement in data protection maturity levels” in the past year is that organisations are not engaging with the people who can change data itself.

“So if you take the fact that we are being asked to do privacy maturity programmes when they should have been done, together with the evidence that data scientists may be disenfranchised, it tells us we are potentially no further forward, and until that changes, we are not going to see any real improvement.”

According to Room, the disenfranchisement of data scientists is symptomatic of a “significant failure to understand in the economy that if we are not engaged with people who are truly experts on data itself, we cannot lead the dialogue in a meaningful sense.”

The result of many GDPR readiness programmes was a plethora of privacy policies, but Room said all that essentially amounts to “window dressing” because policies and procedures are not the “corpus” of data privacy.

“They are facilitators of data privacy. What you want is data privacy to operate inside data and technology. That is the goal, not the policy. It’s about the change to how data is used, and the rest is just window dressing in my mind,” he said. 

Business purpose

Since the implementation of the GDPR, Room said there has been a “fixation” among privacy practitioners on the idea that the regulatory system needs to deliver pain and punishment to deliver change, with a great deal of discussion and focus on the potentially huge fines under the GDPR.

“We are deluding ourselves about the power to change that comes from enforcement action such as fines. We should not be investing our hopes in pain if we want to deliver change,” he said, adding that already this has led many to believe GDPR is about US tech giants.

“One year on, many organisations are thinking the fight is against US technology companies and not really about them. Not only is that distortion troubling, but so too is the view that pain is key to change because that suggests a fundamental failure to understand the significance and importance of the subject matter in its own right,” said Room.

The focus should not be on the fines and other enforcement actions, he said, but on the fact that the GDPR is about fundamental rights and freedoms. “Data privacy, in the European sense, is about human rights and human protection, which is important on its own without the threat of fines,” he added.

According to Room, there needs to be a change of perspective. “I don’t think that the idea of looking at data privacy as a legislative or compliance issue is the most productive way of looking at it. Instead, we need to look at this from the perspective of business purpose.

“Business purpose is the reason for its existence, and that delivers a value and societal contribution for good. While that value equates to profit, profit itself is not the purpose of the business. The business purpose of PwC, for example, is to help solve complex problems.”

Understanding business purpose and having a purpose, said Room, is recognised as being at the heart of good corporate governance. “The new UK corporate governance code from the Financial Reporting Council [FRC] specifically requires the identification of purpose and a consideration of the risks to the business in the context of its purpose,” he added.

In this context, he said if the use of personal information is critical to the well-being and success of a business, the business importance of data privacy is clear.

“What companies need to be talking about, therefore, is how to equate good use of personal data and data privacy with business purpose, and not how to equate it with a legal compliance issue that may deliver pain,” he said.

Business purpose is about “gain”, while the regulatory regime is about preventing “loss”, said Room. “The argument about gain is much more attractive than the argument about loss. If we start looking at data privacy in the context of the purpose of the business, the reason for its existence and its long-term health, we can start to deliver better outcomes,” he said.

If businesses view data privacy as something that is going to make them successful and look at it through the lens of how to enable business gain, Room believes data is going to be better analysed. “Better quality data analytics may be able to accelerate the performance of particular business functions or it might become an economic asset in its own right,” he added.

But a year on from the GDPR compliance deadline, very few organisations are looking at data privacy from a gain perspective. “Otherwise, the chief data architect would be involved because the whole business is going to be engaged towards gain. Instead, people are hoping for fines to deliver change, which I believe is wholly the wrong way round. What we should be looking at is how do we gain from data privacy, not how do we avoid loss,” said Room.

“Business purpose is the right conversation. If we get to purpose, it will then deliver data privacy outcomes inside technology and data and therefore complete the journey to code. Hopefully, the new UK corporate governance code will act as an accelerator in this regard by putting the obligation on boards to consider the business purpose and the associated risks, and to do what they perceive to be necessary to maintain the health of the business,” he said.

Read more about GDPR

Read more on Privacy and data protection