With so much emphasis currently on the GDPR, albeit for many companies in the form of procrastination, it may be hard to see any other point of focus beyond the fast approaching deadline of May 2018.
It's right that we look at the impact of the GDPR on businesses over the next year, but let's not forget that the data revolution has not been put on hold while the GDPR works itself out. In fact, it's moving centre stage and data governance is in for a roller-coaster ride next year!
Of course the world will keep turning and the sun will rise on 25 May 2018. And if darkness does envelope your world, we hope it’s a new light bulb you need instead of invoking your incident response plans to a major cyberattack. There is much talk about waves of crisis that could hit organisations, stirred up by increased GDPR awareness. One often-predicted wave is a deluge of subject access requests (SARs), on the assumption that individuals are waiting until the GDPR is fully in force before exercising their access rights. While these rights already exist under current law, it's easy to see how a press-fuelled hysteria could spur individuals to test out their newly enhanced right. Some organisations are, perhaps, more in the firing line than others; however, companies need to be prepared for an increase in the number of SARs to avoid being submerged.
It's not just regulators who will be scrutinising controllers and processors for compliance issues. Anyone having to comply with the GDPR will be watching closely to determine how regulators respond to serious failures to introduce the regime of accountability and governance under the GDPR. How tough will the ICO and other supervisory authorities (SAs) be on such breaches of the GDPR? Given the complexities of data-driven businesses, especially the intertwined world of processors and multiple jurisdictions, any major breach or GDPR failure will not only test the lead SA model for Europe, but also push more towards global cooperation of data regulators.
Less C3PO than arise Sir DPO!
With the GDPR requirements around appointing a Data Protection Officer (DPO), we believe this role, for the data-centric businesses in particular, will become far more influential across the business and senior leadership team. This elevated position is inevitable and should bring not only genuine parity in terms of seniority within the business, but also clear reporting lines to the board. In fact, we think it's inevitable that we will see DPOs joining the board and, perhaps, taking responsibility for other risk too, for example, those risk ownership lines traditionally held by CIOs and CTOs.
The GDPR will also impact on other traditional lines of risk ownership, and it's easy to see that the role of procurement and supply chain/vendor management will take on a new shape to address the changing risk and operational requirements – it's an area that businesses simply can't afford to get wrong.
From shrug to hug
For too long, we have seen many organisations respond to the suggestion that they need to embrace data protection compliance with the same shudder as some felt when a certain politician suggested we should 'hug a hoodie'. However, we are already seeing a warming up and expect to see the embracing of data protection compliance in 2018, not only as a form of compliance badge but as a real business differentiator, with organisations promoting their compliance status and using it to attract and win business and talent.
Data flies the nest…
As data continues to take centre stage, one of biggest challenges for organisations and, arguably for DPOs, will be having governance and accountability that can flex to the changing data eco-system. As the demands on data increase in terms of transactional activity and extracting asset value, data technologies are promising much more in terms of data itself becoming smarter and not relying on systems around the data to do all the hard work.
One of the key challenges to GDPR compliance is ensuring the operational aspects of systems become compliant. In the not too distant future, compliance controls could extend from systems to the smarter data itself. The so-called concept of 'self-aware data' is a great example of why Privacy by Design (PbD) will need to evolve.
If data itself becomes capable of living up to a policy rule set, then the value of metadata to enable the data to proactively transmit, categorise and, in some cases, even analyse the data itself against defined purposes, will also have to be matched with PbD that can live up to these complexities. Another area to watch will be the advantages that smart data can bring – where smart data can itself live and breathe a form of self-governing PbD without relying on the applications to achieve that control for millions or billions of data sets swimming together in a data lake.
Some commentators even suggest that smart data may lead to applications moving closer to the data rather than data always existing within the applications, so PbD will have to evolve with data that flies the nest.
Shining a light on cybersecurity
We were intending to predict that the cover-up of a significant data breach by a major corporate would come to light in 2018, with all of the obvious consequences, but unfortunately, events have overtaken us, and we have already seen this in 2017. More incidents of this type are likely to appear after the GDPR reporting obligations come into effect, as regulatory investigation of breaches taking place after 25 May 2018, bring into sunlight previously unreported breaches (although, to paraphrase Brandeis, it remains to be seen whether the electric light of notification will be an efficient policeman. We doubt it).
Our next prediction is that we will see more patch-related breaches. Companies still tend to wait to install patches for a small period of time because of the risk of the patch causing other problems. At the same time, however, hackers are becoming quicker at disassembling patch code to work out the vulnerabilities that it closes, and attacking those vulnerabilities. We remain hopeful that regulators will be pragmatic where breaches do occur within that window, but the risk assessment is changing and there is scope for a regulator to take the view that a business got it wrong and act accordingly. On the subject of patches, expect to see more CCleaner/MeDoc-type attacks, where malware is inserted into code before certification to weaponise a legitimate patch.
Finally, are we going to see breach-related fines of tens of millions of pounds from the ICO in 2018? We don't think so. The ICO has been careful to pour water on predictions (mostly by those in the cybersecurity industry) of eye-watering fines. The GDPR does allow for such fines, but they will not be commonplace. Having said that, handling a breach poorly can lead to other (cumulative) breaches, such as failure to notify the regulator or data subjects. If a large, well-resourced company has a major breach, has had previous security issues, and handles an incident poorly, then a significant fine should be expected.
One giant leap for data…
The GDPR will continue to be a compliance challenge (not only prior to May) and for many organisations, it will no doubt be the cause of migraine. Early or fast adopters will see the benefits, and while they may never chant 'GDPR' with the same infectious merriment as singing to 'YMCA', we will see companies looking to seize the commercial advantage of GDPR readiness ahead of peers.
The real challenge, we suggest, is ensuring your 'new privacy normal' keeps up with the pace of data technology change, which we may have thought was all about AI and more data centres in Europe, but it seems that data itself is just about to take another leap forward.