On April 19, at the International Association of Privacy Professionals Global Privacy Summit 2017 in Washington DC, a panel of senior privacy executives from leading multi-national corporations discussed how their organizations are preparing for implementation of the General Data Protection Regulation (GDPR) set for May of 2018, and how they will work to operationalize, sustain and monitor their GDPR privacy compliance programs to be effective and demonstrably compliant for the long0term.
Carolyn Holcomb, CIPP/US, partner, Cybersecurity and Privacy, PwC (Moderator)
Keith Enright, CIPP/G, CIPP/US, director, Global Privacy Legal, Google
Asim Fareeduddin, CIPP/US, VP, IT Security and Regulatory Controls Assurance, RELX Group
Lori Fink, senior VP, Assistant General Counsel, CPO, AT&T
Holcomb: How are your teams set up, and will you make any changes to your team structure because of the GDPR?
Enright: Google has a global team of lawyers and legal specialists. We are always following how laws are evolving so we can make sure we comply and advise the business for optimal flexibility. Google also has a massive cross-functional effort involving multidisciplinary product managers, engineering leaders, user experience designers. For 2018, we’re working now to make our privacy program appropriately auditable, so we can demonstrate evidence to third parties. Our audit has traditionally been with PwC, but with the GDPR, there is a larger community now asking for evidence and examining our program. There are new legal privilege considerations around the records a privacy program produces.
Fareeduddin: RELX is B2B focused. We’re a $9bn business that owns many other big businesses. To us, GDPR is first and foremost a business problem. My team does IT assurance, rolling up to the General Counsel. We have a sister organization of data privacy attorneys that project manage their GDPR compliance effort. We’re all working with the attorneys from our various businesses to ensure they’re getting ready for May 2018.
Holcomb: What are your top three factors for sustaining a privacy program over time?
Fink: Have a program that’s interoperable. Customers expect you to be in compliance with legal requirements. Next, the GDPR compliance tools you develop have to be simple and easy to use. Help users get results under the requirements. Third, be flexible – you’re dealing with so many ad hoc country requirements, you must adapt as regulations change. Don’t be tied to any specific country.
Enright: The GDPR is a very ambitious law, but it’s just a starting point. One of the greatest dangers large organization face is tacking toward 2018 and thinking you’re done. We are seeing nearly daily guidance from national authorities, society, academia, the Article 29 Working Party – it’s a conversation we’re just beginning. It won’t begin and end in Europe – this will eventually affect the policy discussion in the US and globally. Don’t hard code your program to just GDPR compliance – you’re setting yourself up for a lot of pain when the next challenge comes.
Fareeduddin: GDPR compliance is about how to apply the new framework to what you’re already doing. Don’t look at implementing controls as a checklist of GDPR-related things to get done; look at it as a business process. If it’s a check the box exercise, it will be looked at as busy work and might not get done properly. Bring the right stakeholders to the table, including the business side.
Holcomb: So how do you bring all the stakeholders in?
Fink: Regulatory compliance is done on top of what you’re already doing daily. We bring small teams into the process. We also mobilized across leadership – technical, the CISO, HR, Compliance. You need to keep that outreach going. It helps everyone to understand how time and resource intensive this issue is.
Enright: User trust has been key to our company from the beginning. The founders made decisions early on, so that we never struggle for access to the senior-most levels of management. Because of Google’s products and services, we’ve always gotten a lot of attention from regulators worldwide. That’s been beneficial to us on balance from a privacy perspective. It has elevated our cultural sensitivity and awareness of regulators’ perspectives. This well positions us for GDPR and whatever comes next.
Holcomb: How will you monitor your program?
Fink: The audit approach is traditional. Short of doing that, we can do compliance reviews – identify high risks, or new areas of a program that need more engagement. Work with business units to ensure they have the right protocols in place. Are you getting questions from them? If so, it’s working, they’re seeking expertise, but if it’s just check the box, it won’t work. You must have a regular dialog.
Fareeduddin: Proactive questions show a level of maturity and awareness in the organization. Make privacy part of your regular business process. We will perform risk assessments and look at automated, continuous monitoring as well, especially with the complexity of GDPR.
Enright: We have two primary objectives: to ensure we keep promises to users; and to ensure we’re managing risk appropriately. Google has a wide array of controls already in place for both of these. For the former Safe Harbor program and now the Privacy Shield, we have an extraordinarily rigorous process. Every year we review and confirm all commitments and make sure we satisfy them. This results in hundreds of certifications coming to me, which I review before submitting to the US Department of Commerce.
Holcomb: What are you doing about a Data Protection Officer (DPO)?
Fink: My advice is to start somewhere! Your program should evolve. The GDPR caused us to review what we have today, which is 19 DPOs in 17 countries. We don’t need to change where all of them are. For the GDPR, we have decided to take a regional approach – the Americas, EMEA and AsiaPac., but what we do today may not be where we are six months or three years from now.
Enright: There are a lot of open questions right now. Should a DPO be a lawyer or not? If he or she is a lawyer, what does it do to their legal obligations? Do they need to reside in Europe? We have a legacy structure that will give us a good start, but there are new incremental things now. We will keep an open dialog with national regulators and working parties, because we don’t want to disappoint them., but we don’t want just a defensible legal position, we sincerely want to go farther. The GDPR is trying to satisfy a philosophical issue, and we want to satisfy the regulatory appetite in Europe so we can demonstrate we’ve taken this commitment seriously.
Holcomb: What about companies that are struggling to get executive attention on this issue, or don’t have funding?
Fink: You could mention the 4% penalty risk up front to get in the door. However, to be sustainable, it’s about customer and employee relationships and expectations. It will become a contractual requirement. This is what will move the needle.
Enright: Never waste a crisis! Leverage it for what you can. Be careful about the 4%. It creates a staggering blue sky figure they may filter out because it’s too terrifying. Modify how you describe the seriousness of GDPR to say it’s civil penalty authority like nothing you’ve seen before in Europe or the US. That should get attention. Also, I don’t think we’ll see these huge sanctions right away. The EU regulators are being thoughtful, but they want to see sincere efforts. However, if we don’t see a massive penalty after some time, you may lose the attention of your Board and will do your program a disservice in the longer term. Be more honest and forward-looking. The GDPR is a symptom of how the privacy and data protection conversation is changing around the world. We’re not going to solve it in 2018 and be done.
Fareeduddin: Ask for what you need, but don’t say the sky is falling because it hurts your credibility. Look at what others in your industry are doing and discuss that competitive reality with leadership. Look at other compliance measures you’ve already leveraged and show how you’ll build on those. Only use bad examples and scare tactics minimally.