There is a presently emerging in relation to behavioural science labelled “cognitive uncertainty” (Enke & Graeber; Harvard University). This theory seeks to explain why people facing unknown odds as if they were facing ones with greater certainty. This usually manifests itself as believing the uncertainty they face is more 50:50 than perhaps 10:90 against. Enke &Graeber believe that uncertainty creates a lack of confidence in that people may think their sums are not right, they misunderstand or their memory may be failing them when making a judgement.
If this theory is correct, and there is plenty of previous research on judgement and decision making to back it up, then how your company manages data risk and compliance programs may be influenced by it.
The GDPR requires the introduction of business processes that proactively demonstrate compliance, with periodic audits, or spot checks, being no longer sufficient. Personnel face an IT environment that is always changing, as are the methods for acquiring, protecting and processing personal data.
The fines imposed by the ICO (Information Commissioner’s Office) will likely vary, depending on how well a company can demonstrate how it respects personal data and the efforts that have been made to protect it.
Thinking that your programs ensure compliance and that the chances of there being an error are less than 50:50 is not the same as actually quantifying with hard evidence what the probability really is. At the same time, since the GDPR continues to evolve and Regulators approach the requirements for compliance, there will be a need to account for this moving target.
So how does a company ensure that they comply on an ongoing basis and are there any tips to assist in this?
1. Check your relevant Regulator’s website in a scheduled and documented manner, since each has grown month on month with supporting documentation and information on what changes are or will be implemented.
2. Every company has to demonstrate that they understand their responsibilities, have accountability, processes and governance in place, but so often STEWARDSHIP is totally omitted from the data and regulatory compliance process. Make sure that you understand and have a data stewardship program coupled and providing input into your GDPR program.
3. Create documented records of the development and use by your company of the intelligence and sensing for data risks (proactive) and also how it is being led by events and relying on institutional agility and flexibility (reactive). Demonstrating simply being aware is not the same as demonstrating your understanding of actual or potential risk and how you have eliminated it.
4. In the same way that certification programs such as ISO27000 (information security) and ISO 22301 (Security and resilience – Business continuity management systems) require a company to actually demonstrate their systems and processes work to an auditor, so your company should undertake actual breach response practice. Every person in the organization should know what to do in case of a breach and undertaking a simulated breach is the only way to have sufficient insight as t your actual readiness and preparedness.
5. The GDPR focuses on record-keeping around consent and the audit trail you need to have. Consent has got to be easy to withdraw; keep clear records of all consent taken, establish straightforward withdrawal mechanisms and regularly review procedures to keep up with any changes to processing activities. Then, as with a simulated data breach exercise, undertake a planned, detailed and documented series of consent objections, withdrawals and changes of use to create a gap analysis between your present status and where your senior management and DPO require it to be. This will also form part of your audit trail for any Regulatory audit as to how you manage your personal data.
6. Do not simply appoint a DPO. Whilst you will have a DPO working hand-in-hand with a Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership, you may also look to appoint a Chief Privacy Officer. This role supports the others in being a champion of privacy within your organization. They will be the individual/s who interact on a daily basis with personnel in operations, ensuring that data privacy is at the forefront of their actions.
7. There is no guarantee that your data practices are in order and there is no single tool that can provide such an assurance. However, there are a number of tools that can assist with compliance, covering data discovery, consent management systems, self-assessment toolkits and comprehensive data management platforms that may be being used for alternative purposes without the realization that they can also be used for auditable proof of compliance. Undertake an analysis with your business process managers and business analysts a detailed investigation on how individual outputs or a combination of them could be utilised to create compliance support data.
8. The GDPR restricts the transfer of Personal Data to recipients located outside the European Economic Area (EEA). Understanding the appropriate use of the available lawful Personal Data
transfer mechanisms is essential for all organisations that wish to carry out transfers of Personal Data to Third Countries. These can prove tricky for your front-line operational staff to navigate, particularly in relation to ad-hoc data transfers. To facilitate transfers legally, create decision trees for staff to fully comprehend when and under what conditions such transfers are permitted. Using simple, inexpensive tools such as decision trees also enables swift changes to be made where required, without the need for additional training.
9. Develop and determine performance metrics for your GDPR program. They will demonstrate the continued improvement of the company’s Personal Data related operational practices. Examples of metrics that could be used for this include the rate of satisfactory resolution of Data Protection complaints, response times for Subject Access Requests, the audit rail as a result of a data breach being managed according to the company’s policies and procedures. These metrics inform senior management and the DPO, as well as to a Regulator.
10. Evaluate using a multi-layer approach. When executing evaluations of Personal Data related operational practices, use layers to cross-reference the data, such as: Business process owner self-assessment; Internal audit review of business unit compliance; External party audit of organisation compliance. Using this method enables benchmarking that will enable a direct comparison against previous assessments and audits, both in terms of operational compliance across business units and operational performance against peer organisations.
