Management, compliance & auditing

Working as a data privacy consultant: Cleaning up other people’s mess

April 14, 2022 by Ralph O'Brien

My biggest task as a consultant is picking up the mess left from other projects. I don’t mean that horribly, its more that during the rush to become “GDPR compliant,” many organizations missed the point and essentially paid organizations to do a “gap analysis” and remediation projects that resulted in a “tick list” approach to complying with a single privacy law as an external threat to the business.  

This approach results in the worst kind of management approach to data protection, one that is a point in time reassurance of “getting to green,” focusing on a legal compliance approach without any thought of longer-term management of data, protection of individuals, and the realization of the benefits good data governance can bring.

Data privacy should enhance business, not hinder it

No wonder data protection is often looked at as a “cost” for a business that “gets in the way” of operational delivery. It creates a false dichotomy: Your data protection is a barrier to an effective business (privacy vs. functionality) rather than a complimentary gateway to it (good data governance). It’s also pretty narrow, as most “GDPR projects” focussed simply on that regulation and not broader privacy laws that may be relevant for your sector, nation or the wider world.

It also created an unrealistic evaluator of success. Looking at the GDPR as a business threat meant evaluating success through “lack of regulatory penalty” or “having a defensive evidence base” by May 25th, 2018, the date when all organizations were expected to be compliant. Indeed better indicators of success are “continual improvement,” a better risk management stance, improved data governance, improved awareness of the issues you face and, ultimately, better protections for individuals (the entire point and the point most often missed!)

It also meant that organizations “finished their GDPR project” in May 2018. They stopped, let go of their private resources, went back to business as usual, and were happy they had “finished the job.” It’s the equivalent of letting go of your information security department because you’re “secure” today. That’s plain ridiculous, as to “comply,” you have to meet Article 24, which at least requires an organization that “measures shall be reviewed and updated where necessary.” Projects are bounded by a beginning and end date.

Data privacy is about risk management, not compliance

You could even argue that no one “complies” with the GDPR. It just isn’t that sort of law. There are too many principle-based areas and are open to risk management decisions. Where a business has decided, for example, on something being a “high risk” or what “appropriate” security is, it may be that the regulator or the data subject feels differently. Their opinion and risk management decision may be different, leaving an opening to challenge. 

In every privacy training course I run, I always ask organizational representatives to answer a straightforward question: “Can you honestly tell me that you have not one bit of personal data in your organization that is held beyond its established retention period.” So far, not one organization has answered that they comply with that single data retention principle, and I suspect their answers are similar to others. Data protection is shades of grey risk management for an organization and an ongoing management issue, rather than a simple binary yes/no compliance issue.

Data privacy is continuous, not a one-time checklist

Too often go into organizations that “had a go” at GDPR compliance in 2018 and haven’t delivered anything since. They have fallen behind, as their GDPR project focused on the wrong outcomes, a tick list against the articles of the GDPR, rather than delivering a “privacy management system” that delivers a continual improvement of data governance for the organization over time. 

One that doesn’t just look at the GDPR, but also relevant local, sectoral and international laws impinge on data governance. One that ensures data protection is viewed as a benefit rather than a cost, an investment in organizational data, rather than the threat of regulatory action. One that ensures management visibility ongoing, rather than sweeping it away if there is no regulatory attention. One that puts the individuals and their rights at the center, investing in ongoing privacy by design and protections for the human.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

Posted: April 14, 2022
Author
Ralph O'Brien
View Profile

Ralph is a trusted advisor on global privacy and security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments. He has worked in various industry sectors, including defense, public sector, pharma and financial services, representing multinational corporations and boutique specialist consultancies. He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes, information protection, and an ethos of management assurance, risk management and knowledge transfer, he ensures effective protection of assets appropriate to the client's business needs.

Leave a Reply

Your email address will not be published.