Working as a data privacy consultant: Cleaning up other people’s mess
My biggest task as a consultant is picking up the mess left from other projects. I don’t mean that horribly, its more that during the rush to become “GDPR compliant,” many organizations missed the point and essentially paid organizations to do a “gap analysis” and remediation projects that resulted in a “tick list” approach to complying with a single privacy law as an external threat to the business.
This approach results in the worst kind of management approach to data protection, one that is a point in time reassurance of “getting to green,” focusing on a legal compliance approach without any thought of longer-term management of data, protection of individuals, and the realization of the benefits good data governance can bring.
Data privacy should enhance business, not hinder it
No wonder data protection is often looked at as a “cost” for a business that “gets in the way” of operational delivery. It creates a false dichotomy: Your data protection is a barrier to an effective business (privacy vs. functionality) rather than a complimentary gateway to it (good data governance). It’s also pretty narrow, as most “GDPR projects” focussed simply on that regulation and not broader privacy laws that may be relevant for your sector, nation or the wider world.
It also created an unrealistic evaluator of success. Looking at the GDPR as a business threat meant evaluating success through “lack of regulatory penalty” or “having a defensive evidence base” by May 25th, 2018, the date when all organizations were expected to be compliant. Indeed better indicators of success are “continual improvement,” a better risk management stance, improved data governance, improved awareness of the issues you face and, ultimately, better protections for individuals (the entire point and the point most often missed!)
It also meant that organizations “finished their GDPR project” in May 2018. They stopped, let go of their private resources, went back to business as usual, and were happy they had “finished the job.” It’s the equivalent of letting go of your information security department because you’re “secure” today. That’s plain ridiculous, as to “comply,” you have to meet Article 24, which at least requires an organization that “measures shall be reviewed and updated where necessary.” Projects are bounded by a beginning and end date.
Data privacy is about risk management, not compliance
You could even argue that no one “complies” with the GDPR. It just isn’t that sort of law. There are too many principle-based areas and are open to risk management decisions. Where a business has decided, for example, on something being a “high risk” or what “appropriate” security is, it may be that the regulator or the data subject feels differently. Their opinion and risk management decision may be different, leaving an opening to challenge.
In every privacy training course I run, I always ask organizational representatives to answer a straightforward question: “Can you honestly tell me that you have not one bit of personal data in your organization that is held beyond its established retention period.” So far, not one organization has answered that they comply with that single data retention principle, and I suspect their answers are similar to others. Data protection is shades of grey risk management for an organization and an ongoing management issue, rather than a simple binary yes/no compliance issue.
Data privacy is continuous, not a one-time checklist
Too often go into organizations that “had a go” at GDPR compliance in 2018 and haven’t delivered anything since. They have fallen behind, as their GDPR project focused on the wrong outcomes, a tick list against the articles of the GDPR, rather than delivering a “privacy management system” that delivers a continual improvement of data governance for the organization over time.
One that doesn’t just look at the GDPR, but also relevant local, sectoral and international laws impinge on data governance. One that ensures data protection is viewed as a benefit rather than a cost, an investment in organizational data, rather than the threat of regulatory action. One that ensures management visibility ongoing, rather than sweeping it away if there is no regulatory attention. One that puts the individuals and their rights at the center, investing in ongoing privacy by design and protections for the human.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.