Technology’s role in data protection

The missing link in GDPR transformation

The EU General Data Protection Regulation (GDPR) delivers a fundamental change in how data controllers and data processors handle personal data. Instead of an ‘add-on’ or afterthought within business operations, protections for personal data will now have to be designed into the very fabric of data processing systems, meaning that entities will need to re-examine how they approach the use of technology in their organisations.

European data protection law has always been concerned with how technology operates. Data protection laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights and freedoms. Technology is, in other words, the principal problem that data protection law is trying to solve. As such, it is obvious that, as well as being the problem, technology must provide the solution.

However, the way that data protection has operated in practice tells a different. Technology systems have not been designed and deployed from the perspective of the requirements of data protection law. This is why we see so much debate over the retention and storage of personal data, so much confusion about the nature and whereabouts of personal data and so many technology-related cyber-security failures. From this perspective it might be said that the technology stack has been the missing link in data protection programmes over the years.

The underlying reasons for these issues will no doubt continue to be a source of debate, but one thing is certain: in the new world of the GDPR, where tougher and more penetrative forms of adverse scrutiny are likely, instances of technology failure will be harder to excuse. Data controllers and processors who are engaged in the design, build and delivery of GDPR programmes should re-examine and rebalance their priorities, in order to deliver the best possible technology environment for personal data before the GDPR comes into force in May 2018. As part of this rebalancing exercise, they should:

  • Critically examine whether they have enough time, space and resources in their programmes to deliver what is required in their technology stacks by May 2018. As part of this process they should consider performing a technology functionality gap analysis, whereby the operational performance of technology is tested against the requirements of (1) the data protection principles, (2) the data subject rights and (3) the programme build requirements described in the GDPR.
  • Perform a risk and cost-benefit analysis, whereby the operational risks to personal data and the legal and reputational risks to the controller or processor of data protection failure are weighed against the ‘feasibility issues’ associated with delivering technology change, such as the lead time required to source, procure, install and test new technology. Central to this exercise is an understanding of the nature of the technology market and the consensus on what ‘good’ looks like.

In weighing up the options, controllers and processors should bear in mind that, for the first time, data protection law now contains real incentives for the delivery of technology change. As well as the obvious risk of regulatory enforcement action, including the risk of sizeable financial penalties, there is a new ‘litigation risk’ built into the GDPR, all underpinned by transparency mechanisms that will shine a spotlight on what is actually happening to personal data, including when security fails.

Related content

Contact us

Tim Clough
Partner, Risk Assurance Leader
Tel: +7 (495) 967 6018

Dmitry Biryukov
Assistant Manager, Risk Assurance, Personal Data Protection
Tel: + 7 (495) 967-60-00, ext. 2732

Follow us