Expert Interview (Part 3): Paige Bartley on the GDPR and its Adoption in Other Regions
In this expert interview series, Paige Bartley, Senior Analyst for Data and Enterprise Intelligence at Ovum, discusses the state of GDPR readiness, and how data quality, data availability and data lineage play into the GDPR compliance landscape.
The final installment focuses on the difference between the technology and process in the GDPR and how it can potentially inspire other regions to create regulations of their own.
Do you think the GDPR will inspire similar frameworks in other jurisdictions? Will we see an American version of the GDPR in the next five or ten years, for example?
GDPR can, and already has, inspired similar frameworks in other jurisdictions. The UK is a good example; despite Brexit, the country made it clear they would follow GDPR prior to exiting the EU, and create legislation that mirrored GDPR’s guidelines in preparation for their full exit. The reason for this is economic pressure. The EU is a major economic bloc, and in order to freely/easily transfer data between EU and another country, the other country needs an “adequacy decision,” meaning that the EU has formally deemed the country’s data protection and privacy practices to be sufficiently similar to those that are offered in the EU. The simplest route to an adequacy decision is adopting regulation that closely mirrors GDPR. In absence of an adequacy decision, much more complicated mechanisms are required to transfer data. So for any country that wants to freely do business with the EU in the cloud and data-driven era, there is a strong incentive to pursue framework which is similar to GDPR.
The US is a unique case. Because of the US’s relative economic strength, there is less pressure to comply with the EU’s standards for data due to trade pressure. However, public perception of privacy issues is sharply increasing, and the recent Congressional hearings of Facebook have brought potential regulation to the forefront of media and the public sphere.
But keep in mind that some of the largest data monetization companies in the US, such as Google and Facebook, are also the biggest forces in terms of lobbying dollars spent. Businesses that depend on the leverage and monetization of personal data have enormous political clout in the US, and they help shape US policy. This, combined with Congressional gridlock and the current political climate, makes it unlikely that the US will adopt a sweeping, robust regulation similar to GDPR in the near-term. Some initial data privacy regulation may be passed, but it is unlikely to mirror GDPR’s broad protections.
However, there is more hope for the long-term protection of data. There are many multi-national organizations that are based in the US which are beginning to apply GDPR standards to all of their data, rather than just EU resident data. From an IT and architectural perspective, it is easier to consistently apply GDPR policies across all data consistently than it is to try to segregate and define disparate policies for data based on data subject residency.
You’ve written about there being “two camps” within the GDPR landscape, by which you meant that some companies and vendors look to technology as the solution, while others look to process. You’ve said that it’s debatable which approach is better. Could you elaborate on this?
In reality, compliance with GDPR requires two major components: direct technical control of data assets, and the existence and documentation of repeatable human processes. Neither can exist in isolation. While this may seem like a distinction between “hard” and “soft” requirements, software solutions provide technical means for achieving both needs. The solutions’ approaches, however, are often divergent.
Given this mix of needs, the landscape of vendors offering GDPR-related solutions is largely evolving into two camps: those that take a technology-based approach and those that take a process-based approach. Both methodologies depend on software to typically provide a centralized interface for task management and human interaction with data, but they tend to differ in their objectives and execution.
The ideal GDPR compliance tool will leverage aspects of both approaches, allowing the technology to span the broadest number of articles of the regulation. A technology-based approach exerts direct control on data, while a process-based approach helps exert control on people and responsibilities. Both used in concert in the same product enable compliance to become deeply rooted in enterprise architecture and culture simultaneously.
But for the organization that may just be starting its compliance journey (and may have limited budget), there is reason to first consider tools that take a process-based approach. The regulation itself emphasizes process over exact technical controls. Without the proper processes rooted in enterprise culture, GDPR compliance will fail regardless of the technology that is implemented. That is why process-based tools often form a useful stepping stone to deeper technical functionality. Multiple GDPR solution purchases are rarely made in a single “bundle,” so it makes sense to start with process-based products, which allow the enterprise to establish human workflows before seeking out specific technical capabilities to complement those processes.
To learn more about GDPR compliance, read our eBook: Data Quality-Driven GDPR