GDPR has been built on a series of false assumptions which means we will fail, regardless of the amount of time or resources we deploy thanks to these false assumptions, delegates at IP Expo were told by Stewart Room, global head of cyber security and data protection legal services at PWC.
Since 1968 data when protection principles began, our data protection laws have not made their way into the operational actions of entities, but law makers have assumed we would be on top of this based on the existence of earlier legislation. Lawmakers overestimated the level of maturity in the market and so they assumed it would be a two to four year journey to achieve GDPR compliance, but its substantially greater Room told delegates. Entities are performing markedly worse than worse than the expectations of lawmakers who assumed it [compliance] would be achievable, but the evidence is the opposite.
So while laws should not be passed that cascade us into illegality, the evidence gathered by PWC on actual performance provides a consistent view that maturity levels are such that meeting GDPR requirements are an impossibility for most organisations.
As a result, Room told his audience, “All of us will carry a quantum of illegality into May 2018 and beyond, so the issue is, are we leaving gaps in the areas that matter the most?”
Room went on to point out that GDPR not just the legislative text – its lots more, most of which is secret and not known. While there is the publically available law, regulation, and enforcement cases that are made public, there is also the majority of cases dealt with on day to day basis, from which law makers form views, but which is secret and part of GDPR, yet we need to weigh it into our assessment and find ways to work through it.
In addition, Room asked, how was it that some of biggest spenders with the biggest teams are getting it wrong.? The reason given is that they are doing the wrong stuff. “The activity they are doing is not addressing the thing of importance - Risk. You can only understand risk if you understand the wider context in which GDPR operates,” says room, continuing, “If you are not addressing risk, it is purposeless activity. “
The biggest risk if starting a GDPR programme now, according to Room, is that if you require the services of third parties – all the good ones are now gone, thus there is a delivery risk to the programme. Plus, legislative compliance risk is wholly different from regulator risk, which is part of your spectrum of risk (ie the decisions of regulators, not the regulations themselves). Posture is also component of risk mitigation and there is the risk of operational failure.
Finally, organisations need to understand the wider context – legal, regulatory, and false assumptions. This will enable them to make purposeful choices and properly define their risks using root cause analysis..
One of the PWC mechanisms to recognise risk, described by Room, is the adverse scrutiny test. This means identifying a range of stakeholders internal and external who will challenge your framework. Understand who they are, then comes visibility test. Those who challenge will challenge the things they see. So identify those people and the things they will see whether they be whistleblower , hacker, partner , regulator, press, disgruntled employee, B2B contacting partner. Each will tackle the thing they see. Understand these scenarios of risk and adjust your programme to hit the things that matter.
Data protection law exists due to fear of tech and threat to people and their interests. If you do not focus on these areas, then you will suffer.