“Want a job for life?” asked a key note speaker at a compliance conference a few years ago. “Then get into the privacy business, you’ll never face a jobs crisis.”
New EU rules on data privacy start on May 25th next year. Known as the General Data Protection Regulations (GDPR) they’re a powerful job creation mechanism, now moving to full throttle. As an earlier EY report states, these rules are
“… a game changer for organisations.”
Another report along the same lines claims the GDPR to be
“…the most momentous change in data protection legislation in the past 20 years; it’s the first attempt to create strong, meaningful and enforceable data protection laws for Europe’s 500 million plus citizens.”
The EU general data protection regulation: time to act, TrendMicro
The new legislation is indeed far reaching. There are some 261 pages of regulations and they’re set to bulldoze through new corporate organisational processes. These will force changes in policies from IT, HR departments through to sales and marketing. GDPR will radically alter how data can be collected, stored and deleted.
And while the regulation has a lot to say about what you need to do, it doesn’t tell you how to do any of those things.
These new rules offer protection for EU citizens’ and residents’ personal information. It includes data related to their health, genetics, biometrics, race, sexual orientation, and political opinions. This data is worth countless millions as companies increasingly turn to personal data for new product ideas and advertising revenues.
Adjusting to this new world of privacy protection will challenge even the largest, well-resourced companies.
“…when you take into account the time spent by our existing teams…it is likely to cost millions of dollars.”
Facebook, FT August 31st 2017
Th rules require companies to ask for explicit consent before using personal information. Just think of how many web sites you visit that demand personal data and expect you to input everything from your date of birth to your job, or size of employer.
Also many companies and most large public bodies will need to hire a designated data protection officer (DPO). One of their new jobs will be to ensure user requests “to be be forgotten” can be met. They will also need to be able to hours notify those who have provided private data of a breach of security.
So right now there’s a vigorous recruitment drive underway for security personnel. To some observers this is starting to resemble the one that triggered the earlier explosion in demand for compliance professionals.
Currently, the International Association of Privacy Professionals (IAPP) estimates that Europe needs some 28,000 DPOs to achieve perfect compliance by the May 25, 2018 deadline.
This battle for the new type of security expert seems to be taking its toll. The Uk’s own Information Minister, for instance, has publicly demanded more staff. Worse, she complains large consulting firms are poaching those experts she already employs.
Those poached won’t be swanning off to a comfortable niche. This new breed of data professionals or team, will inhabit a complex workload. Just how complex is usefully explained by a long standing video from TrendMicro. The latter is a respected company specialising in the sort of security envisaged under the new regulations.
So the new job will be high profile, because as the UK’s Information Commissioner puts it:
“Data protection is not a back burner issue any more.”
Take for example the requirement for companies to report any data breach within 72 hours of it happening. This sounds sensible. Yet many firms will find it challenging to get anywhere near this performance standard.
The coming changes also pose new leadership dilemmas. For example, what exactly does it mean to be an ethical leader when privacy and the protection of data start to matter so much more?
“It underlines everything we do, in our persona lives, as consumers, as well as policing and law enforcement, criminal justice, everything relies on data. That’s why this is such a critical issue at such a critical time.”
Elizabeth Denham, Information Commissioner.
From a leader’s perspective there’s much to do. And not much time in which to do it.
Take for instance the need to scan company systems to regularly identify vulnerabilities. For companies this was once a “nice to do”. No longer. Now it becomes an essential company capability.
Yet fewer than half of all companies currently conduct such scans. The technical requirements for this form of monitoring will be demanding. Many firms do not even encrypt important private data.
Putting all this to rights creates the nearest anyone in our era of job insecurity can hope to find as a guaranteed job for life.
Doing what’s right
Business leaders often proclaim that “doing what’s right” comes built into their core culture. Yet the goal posts keep moving. For instance, a firm may stay safely within the law yet still not follow its spirit or intention.
GDPR implies ethical business leaders must now give more than a passing nod to the issue of privacy.
For example, as role models do they possess a sufficiently acute antennae for detecting whether their company’s privacy methods are robust? Hiring professional privacy experts may help, but this won’t be enough. Nor will knowing the rules be sufficient.
According to available research, most UK companies don’t even adhere to current regulations. Only 63% companies follow the Data Protection Act. More than one in ten (11%) are even unaware which regulations their businesses need to adhere to.
Given the above situation, here are the three essential tasks facing ethical business leaders
Three essential leadership tasks:
- New tone at the top promoting company-wide awareness about privacy
This is about changing the culture of an organisation. Firms must become more sensitive to the issues of privacy and the implications for every day practices.
In particular, they must be able to show they are accountable. This will demand rigorous ways of monitoring, reviewing and assessing data processing procedures
Such a wide ranging effort will best be led from the top, with leaders speaking out about the importance of privacy, why it matters and what sort of changes must occur.
- Identify new systems for treating private data with more respect
This implies fresh thinking about how your company treats data. This includes the technical and behavioural changes needed to meet new standards set by GDPR. The latter though remain nebulous when it comes to listing solutions or technologies to achieve compliance.
The best starting point will be to conduct a visibility assessment. What data exists within the company environment; what types of personal data – particularly regulated data –does the company collect, handle and store?
The new aim implied by the new regulations must be to gain a deep understanding of company risk exposure. Then to prioritize further compliance efforts from there.
The new regulations push companies to uncover what personal data they hold and where it’s located. Whether on PCs, on servers, or in the Cloud. They must develop procedures to ensure complete data removal when it receives a request to do so.
- Install the right technologies to deal with insider and external threats.
This is the practical task of installing new systems and includes:
i) Protect privacy
ii) Develop continual monitoring of what’s happening to data
iii)Install fast remedies for breaches of privacy
— monitoring must be able to recognize and act on breaches when they occur; there must be a formal incident recovery plan to deal with the repercussions.
It all looks uncomfortably like a bonanza for security firms everywhere. The outlays to achieve the above will be hard to avoid. Fines for breaching the regulations can be up to 4% of an organisation’s global annual turnover.
A useful recent BT report explains the five essential capabilities firms must develop: identify, protect, detect, respond and recover. An IBM review also produced a five stage approach which explains what needs to happen and when:
The technical ability to manipulate huge stores of data adds yet another layer of urgency in mastering the new regulations. What we must now learn to call Big Data has moved from theory into practice.
While there is no generally agreed definition of what Big Data means, we know enough to be wary of its potential for good or harm.
For example, it has the potential to combine vast quantities of digitized information previously hidden away in cabinets and files. Some data experts take a radical, even grandiose view of what is happening:
“I have come to believe that the new data increasingly available in our digital age will radically expand our understanding of human kind. “
Seth Stephens-Davidowitz, Everybody Lies, Bloomsbury 2017
“Big Data will make the market smarter and make it possible to plan and predict market forces so as to allow us to finally achieve a planned economy.”
Jack Ma, CEO Alibaba
A more modest view is Big Data allows the spotting of patterns, trends, and make informed predictions. Responsible data scientists look for these, rather than details about specific individuals and their respective behaviours and preferences.
Such fastidiousness though, may not prevail across all businesses with access to vast stores of private data. The ability to share and combine many huge data sets for commercial gain keeps growing. Along with the potential to shape human development for good or evil.
The new data rules will hopefully prove a counter force to those who would exploit the potential for Big Data to do harm to people’s privacy. In particular, ethical business leaders need to recognize the dangers as well as the benefits of big data.
In the front line guarding against the unethical exploitation of Big Data will be two prime movers: the ethically driven business leader, and the Data Protection Office.
The DPO may well outlast the ethical leader when it comes to job security.
EU General Data Protection Regulation: Are you ready? Ernst and Young 2016
EU General Data Protection Regulation Report, Trend Micro 2016.
T. Fischer, Preparing for GDPR compliance: Guidance & recommendations, Proportal, June 13, 2017
N.Lord, What does the GDPR mean for global data protection? (infographic), Digital Guardian July 27, 2017
Dealing with new EU data-protection regulation, BT 2017
B.Thompson, Data protection watchdog needs more staff says commissioner FT, 4th September 2017
S. Stephens-Davidowitz, Everybody Lies, Bloomsbury 2017
The impact of GDPR Compliance on IT and Security, by Metricstream, slide show, 2017