Data Protection Archives

GDPR: Gross Disconnect in Perception and Reality | Sherpas in Blue Shirts

July 11, 2018

GDPR, the European regulation on data protection and privacy (and whose letters actually stand for General Data Protection Regulation), aims to make enterprises more accountable for the protection of EU citizens’ personal data. In a stark deviation from the earlier data protection directive, GDPR places data protection responsibility on both data controllers and processors. The following figure provides a comprehensive view of GDPR and its many requirements.

Since GDPR became legally binding on May 25, 2018, it has brought the discussion around privacy of personal data to the forefront. It has mobilized data subjects to action, and enabled them to play a pivotal role in ensuring protection of their personal data, while holding enterprises accountable for any data breaches or non-conformity to data subject rights as provided by GDPR.

GDPR has received a lot of flak since it was approved by the EU Parliament in April 2016. Common complaints focus on the enormous fines associated with non-compliance – 2-4 percent of the company’s annual turnover – and the high cost of compliance, which could reach up to millions of dollars.

Given the hefty fines, one would expect enterprises to be shaking in their shoes and adopting a more proactive approach in complying with all of GDPR’s requirements. However…

Enterprises are Taking a Blasé Approach to GDPR

…More than a month past the deadline, enterprises’ response to GDPR compliance remains lukewarm. Consider the following comments from Everest Group clients:

“25^th May is not the end. In many places, it starts off the journey to data privacy. We are in a good position, but we still have a lot to do after the 25^th.”

– Director of Transformation at a financial institution

“GDPR involves huge amount of money, and I am not sure if it’s necessary. I don’t know what we are gaining from it, or if it offers any value to the organization. We could be spending the same money elsewhere for more value.”

– Head of Platform Delivery at a leading financial institution

Our GDPR research with enterprises across verticals and regions suggests that enterprises are not breaking into a cold sweat and are adopting a strategy based on minimum viable compliance. As counterintuitive as it might sound given the high cost of non-compliance, 90 percent of enterprises are adopting a “wait-and-watch” or “good enough compliance” strategy. They are making basic remediations to existing systems and processes, while exerting caution in making heavy investments towards compliance.

Of course, there are region and industry specific variations. U.K. enterprises are way ahead of the curve than their counterparts in the Middle East. B2C businesses are adopting a more proactive approach than B2B firms. Still and all, most enterprises embarked on their GDPR compliance journey only a few months before the legally binding deadline, leaving a lot unaddressed, untouched, and unfinished. In fact, our research revealed that only 10 percent of enterprises were compliant with all the requirements of GDPR before the deadline.

A Golden Opportunity to Build Trust

Even before GDPR, enterprises had to comply with a series of regulations affecting different aspects of their business, including personal data. Today, enterprises perceive GDPR as an ongoing part of business-as-usual. This assumption, though flawed, is leading them to believe that a simple approach focused on demonstrating their intent to comply, rather than actually being compliant, will be enough to evade the hefty non-compliance fines.

However, by basing their GDPR strategy on such assumptions, enterprises are exposing themselves to reputational and financial risks. There is no dearth of examples to support this viewpoint. Data breaches were a significant factor responsible for both Uber and Yahoo’s drops in valuation. Adobe had to pay US$1.1 million in legal fees and an undisclosed amount to users to settle data breach claims. With the Cambridge Analytica scandal, Facebook’s stock price plummeted, and the court summons only darkened the existing stain on firm’s reputation.

Data breaches have made today’s digital world deficient in trust. By choosing not to invest in GDPR, enterprises are losing out on a golden opportunity to build trust with their customers and stakeholders, and make their security systems/data protection methodologies robust.

Further, if, as expected, GDPR inspires other economies to introduce similar data privacy standards, compliant enterprises will benefit in the long run and enjoy seamless access to the global markets. Hence, a piecemeal approach to compliance will derail enterprises’ train, and slow their ride to the global opportunities provided by the data powered economy.

For a detailed view of enterprise GDPR priorities and investments, along with leading service provider capabilities in driving compliance, please download our report entitled GDPR Services: Gross Disconnect in Perception and Reality – Services PEAK Matrix™ Assessment 2018.

Could RPA and AI Save GDPR Laggards from Hefty Fines? | Sherpas in Blue Shirts

October 17, 2017

With just seven months to go to the General Data Protection Regulation (GDPR) compliance deadline, many companies still have wholly inadequate data management capabilities. Strict requirements for personal data security, privacy, and the right to erase, among other things, will cause severe headaches for many CIOs not only in the EU but in all regions, as organizations will have to know which data is and is not subject to the regulation, and where in the world it is stored.

Download our special complimentary report: EU GDPR: Is There a Silver Lining to the Disruption?

No doubt many complex and conflicting scenarios will arise out of GDPR. For example, consider the following data-related issues:

When a request to be forgotten comes in from a customer, how will the organization find all the occurrences of the same data across the vast enterprise IT estate?
Will public and private cloud and other infrastructure providers be able to handle the requirements in a timely manner?
What would be the knock-on effect of a customer asking for his/her data to be erased? What systems will be affected and how would that effect audit trails and other regulatory requirements, such as maintaining company-related data for audit purposes for several years?

These and a multitude of others will take many more years to understand, get guidance on, and resolve. In the meantime, companies must be compliant, or face fines that are the greater of €20 million or 4 percent of global annual turnover.

For those organizations that have not yet prepared for GDPR, the overheads of data management are increasing significantly. For example, they must figure out how to best obtain and maintain personal consent, handle access requests, process revocation of consent and requests to be forgotten, train personnel to know what they can and cannot do with data under GDPR, ensure outsourced services, cloud providers, other suppliers, e.g. in the supply chain, and partners are compliant, and run audits to check the readiness and effectiveness of the provider/supplier/partner ecosystem.

Enter RPA

This is where, with its rules-based bots, Robotic Process Automation (RPA) could prove to be God’s gift to the laggards. Scenarios where RPA could be ideal include, but are not limited to:

Running audits of data against consent and revocation databases for compliance
Checking a queue of in-coming consent or revocation requests, and acting upon them, e.g., setting the right flags in systems or actively deleting data while maintaining an audit trail
Producing audit reports
Propagating changes of personal data and related consent across all the systems that hold that data, by cutting and pasting updates and maintaining consent-related databases

The role of AI

As organizations collect more and more GDPR-related data, Artificial Intelligence (AI) solutions could come into their own by helping with risk and impact analysis and reporting:

How many systems will be affected by a GDPR consent and access related change?
What is the knock-on effect on workloads and audits trails? How do these affect other regulatory requirements of data retention?
How many systems will be affected, and what would be the impact on operations and other legal and regulatory requirements?
What is the data security threat level of the day? What is the likelihood of data breaches on a daily/hourly basis, and what preventative measures could be taken?
What security breach has happened and what actions have been taken? Who has been affected by it and must be notified?
Additionally, good governance is an imperative for GDPR. RPA and AI can be used to embed governance in daily operations for enforcing and monitoring purposes.

A new era of data protection is upon us. It is coming at a time when, some would say, that companies have taken far too many liberties with their customers’ data. The full implications for businesses are yet to be understood. But we believe that all organizations that hold or process personal data will experience some disruption in service delivery as a direct result of GDPR. For more on Everest Group’s point of view, please see our latest free publication: “EU GDPR: Is There a Silver Lining to the Disruption?“

Announcing our inaugural conference: Everest Group Engage, The Pragmatic Edge: Designing Your Future. Learn more.

Tag: Data protection

How can we engage?

Contact Us