Where Privacy Stands Five Years After GDPR

Antonio Rocha
Author: Antonio Rocha, Data Leader
Date Published: 17 January 2023

In 2018, the General Data Protection Regulation (GDPR) went into effect. So where does the privacy landscape stand in 2023, five years after that landmark regulation elevated the global prominence of the privacy profession?

The most interesting aspect of privacy for IT and business professionals is that it facilitates the discussion of data in an enterprise management and governance context. Being capable of transforming data into information and information into knowledge, with a usable management output, has always been our goal, our raison d’etre.

Context-wise, 2022 was a hard year. In IT, security, enterprise data, enterprise AI, and PaaS/XaaS, we’ve witnessed the long-term consequences of many strategic choices. The general recognition that the world’s technology giants are riding their business models on huge technical and regulatory debt was a very sobering realization. 

The conviction of a former CSO of a global company on federal charges shook the privacy and security communities. Yet, regulators have been mostly friendly to businesses and have not yet flexed their own Supervisory Technology (SupTech) muscles if we take a mostly Western-based view. If we look to other regulatory realms such as Asia (namely, Singapore and China) we can observe more technical-driven approaches to regulation and a state-of-the-art tech ecosystem. “Tech,” applied by regulators, at scale, could rapidly change the outlook into a much more informed and damaging “heavy hand,” especially if mixed with market abuse and algorithmic cartels that the industry should really avoid.

Looking back and considering the “data tsunami” many of us have come to experience every day, it has been clear for a long time that there’s a considerable gap between tech and the business, especially on regulatory ops. While in the early days of the internet its transactional nature was mostly apparent, now we are fully “immersed.” It doesn’t just start with Moore’s Law:

Where Privacy Stands Five Years After GDPR

When the GDPR was initially written, we lived in another data world. We’ve evolved 50x (!) from that time in less than a decade! 

As IT professionals of all tribes, we have grown accustomed to navigating data-heavy environments. Increasingly, we are also gaining experience with AI and systems that allow and deliver steep personalized, stylized experiences to both external and internal audiences. Furthermore, we can stack up intelligence in ways that are much more accurate and powerful.

A lot can be done with technology, but foundational elements such as privacy need to be a part of the foundations at the data and data governance levels.

With privacy as a foundational element of the data proposition, we can “electrify” the company with plenty of automation, orchestration and even AI because the mandate for data use is embedded into the entire landscape and ecosystem through regulatory ops.

In the end, it’s all about the users. Companies with trust will develop “better users” with a stronger AI feedback loop and overall improved quality of their products. Companies with poor data compliance will continue to experience a very considerable drag to their speed. The ability to comply with multiple regulations, at scale, is now “alpha.” This requires and demands proof all around. It’s a Trust Ecosystem.

Let’s acknowledge some simple truths, reflected in ISACA’s Privacy in Practice 2023 report. First, the elephant “herd” in the room. Privacy is yet to have an established corporate figurehead. And a couple others: privacy is significantly underfunded and generally does not have adequate governance. 

People

  • The main privacy “owner” is marginally the CPO/DPO at 21%. All other functions that hold the ownership (CEO, CIO, CISO/CSO, CCO/GC/CLO) have a combined 62% of role ownership. All of these, it has to be said, have a conflict of interest in terms of their main function vs. privacy. This means that from an enterprise risk management and compliance perspectives, this area is ripe with conflict across the whole suite.
  • The majority of privacy roles are composed of legal professionals, not technical IT staff or hybrids.
  • Job mismatch: (job ads are often open more than six months; expert-level roles are hardest to find)
    • Experience managing certain domain-specific applications is what seems to be most important (hiring managers looking for “application implementors/managers”)
    • Experience with frameworks comes next
    • Legal knowledge (despite the fact most privacy laws can now be “summarized,” actionable by taxonomies and ontologies) is also sought after.
  • Privacy engineering is a new and very broad engineering area, with a stark need for skills mapping, to be embedded into the engineering skills framework of the company, and carefully decided in terms of ownership, development and recruitment. It has elements of information management, security and AI, and and requires specific process mapping and development that makes it a complex area to manage.

Process

  • The majority of respondents in the ISACA Privacy in Practice report significant underfunding of programs.
  • Privacy programs are lacking:
    • A strong business stakeholder;
    • Clarity on the mandate, roles and responsibilities;
    • Privacy strategy;
    • And in-depth, data-driven measurements.

(All above are basic program management)

  • Frequency of meetings between technical and legal are a mirror of real collaboration:
    • From never (6%) to quarterly (28%) or monthly (17%).
  • At least 42% freely admit they are not or are only “sometimes” practicing privacy by design, with only 30% responding “always.”
  • Only 11% admit a material breach of privacy in the last year(!).

Technology

  • Mostly, and despite a whole ecosystem of tools, the legal/technology divide has a deep impact into vendor choices. Here, I decided to focus on solutions, as the length of the list would be too long.

Now that we’ve examined “challenges,” let’s venture into solutions. Privacy must, at the very least, accompany the present state of data processing of a company and be a key enabler of improved data maturity. Without strong privacy practices, no data management operations can be considered mature or yielding sufficient ROI.

It’s clear that privacy is an essential part of the data maturity transformation most companies are undergoing and is needed in order to operate in a positive ecosystem manner while maintaining growth.

Here are some ideas on how to embed privacy as part of the data trust proposition of your company:

People

  • Be frugal. In dealing with complexity, less is more. Quality people are worth x10, but quality can also be developed with time, training and other techniques.
  • Privacy leadership needs to be clearly established and at minimum conversant in:
    • Corporate IT and business environments (with a leader who understands them)
    • Innovation
    • Digital/data business model
    • Your tech stack
    • Your data products
    • “Eats strategy for breakfast” and is able to imprint a sophisticated data privacy culture
    • Contributes to overall data and strategy plans with CDO/CISO/CIO/CTO
  • Skills: It’s fair to make leadership choices on leadership skills, but managing an IT technical area should be on principle owned by a technical manager or at the very least a very experienced hybrid (with a succession plan or a strong number two, preferably with a security background)
  • Being a learning machine. Big decisions last and build considerable consensus around them but – welcome to leadership – there’s always risk. The buck stops with YOU.
  • Governance: Avoidance of conflicting duties is paramount. Avoid at all costs spreading privacy decision-making to other C-suite offices. Bear in mind that some statutory roles such as the GDPR’s DPO are “advisory” and that no operational data decision-making should be made by them. A true operational leader with data operations experience is required.
  • All human elements of “Privacy Central” must:
    • Have an element of “privacy selling,” such as making compliance interesting
    • Have experience with change/pain/failure
    • Human traits: honesty, low ego, deeply collaborative, open nature, transparent, ethical, able to digest large quantities of information, able to deal with conflict, able to learn and think of consequences at scale
  • TrainingOps: Content must be developed for self-help and from a user’s perspective—train the trainer, requiring constant development/contributors.
  • Diversity: Teams require people from diverse backgrounds to develop a cultural outlook, different perspectives and experiences, and a lower DataOps risk.
  • A mix of both legal and technical skills—not just from security, but from information management, risk, AI CoE/office and/or CDO office/CoE. These are not “champions.” They report to privacy, or have a dotted line elsewhere. Privacy manages them.
  • Learn: In IT, mistakes multiply at scale and often globally. Learn for free from other privacy failures.

Before we discuss any strategy for process, let’s focus on the basics first. Companies with a “low score” for data processing (data usage is small, low complexity and risk) can adapt and maintain without considerable risk. Immediately after, when the “data driven” spectrum starts (any score greater than low), companies will need to treat privacy as a recognized IT discipline, responding to the usual IT stakeholders (CTO/CISO/CDO/CIO) and others.

To what depth and degree your data operations require, you can find data to support your change requirements.

Process

  • I will repeat for emphasis, be frugal. In dealing with complexity, less is more.
  • PrivacyOps
    • PrivacyOps are practices developing privacy flavors, such as from the DevSecOps family.
    • BUT Privacy Ops is not just that! It also requires:
      • Data-driven
      • Tech-first
      • Automation and orchestration
  • Data-driven:
    • Identify, treat and register a collection of “privacy events” from the data tsunami.
    • Establish a data pipeline to all the IT/data places you need visibility into. The first will crash. Iterate and move on. From the stream, acquire relevancy, and work your way forward.
  • Tech-first. A lot has been written about this one, so I will simplify. Take a scientific process-first approach to most of the information you want to develop for managerial decision-making. The rest is culture and collaboration.
  • IT change: Understand how to deal with it. Change is never easy and in IT, ever-existing. Besides going after the basics first, every decision must become a strategic one.
  • Documentation: Prioritize simple documents with clear language (“legalese” replicates itself like a trojan).
  • Invest time in developing your own tailored, scalable, library of controls for your data tsunami.

Technology

  • Once again: be frugal. In dealing with complexity, less (vendors, controls, etc.) is more.
  • Strategy: “The Little Piggy.” Much of tech leadership is about small, precise bursts that we know for sure work and minimize risk. What are the sure projects that will get done? How will your small change get done? Piggyback and enjoy the ride!
  • Applications. Respect them. Map everything you must know/have, but go through all the applications the company already has and take stock first. Be frugal. Often, they might connect with others in many ways that will require configuration, management and proper managerial training and use. Invest time in knowledge accumulation before you make any big IT decisions.
  • User topology: while users should be empowered, learn what IT powers they already have and think about them at scale from multiple perspectives.
  • Strategic vendor management: Fit, pricing, risk management and L&D are all critical.
  • What technology will help develop your connective tissue?

Let’s wrap-up!

Privacy should be an entirely customer-centric activity, where brokers must connect with users and/or their platform representatives, generating and managing their data for validation and acceptance.

Platforms with embedded compliance are already making waves, and the big cloud players are making XaaS more like “company as a service” every day. 

From regulator and consumer points of view, it’s our job to build controls, ensure that they are query-able and that they provide real accountability.

The final objective is developing a “data-centric” compliance as a service (CaaS/GRC) approach to privacy. Managing privacy must accompany a data governance and consumption, ecosystem-like approach to help raise data maturity across the board.

For privacy officers, this means being part of the overall data maturity movement of your organization. 

For the business ecosystem, this means having privacy officers who can speak your language and you can partner with, intensively, to both simplify and build complexity.

Then, we can finally close the gap to create the connected enterprise that is AI-driven, and “electrified” by and for data usage, in every possible way.