It’s a paradox of the General Data Protection Regulation (GDPR) that, despite its raft of granular and explicit legal obligations, protection will ultimately rely on greater cooperation and trust. This is the opinion of Carsten Weinholdt, senior principal, global privacy and data protection at DXC, who speaks with a 20-year track record in compliance and data security.
Weinholdt leads the project to ensure that DXC is compliant with GDPR. He shared with me some of the compliance challenges giving him and other executives sleepless nights. As with many organisations in the digital world, under the GDPR DXC is both a “controller” of data – responsible for its own employee data – and a “processor” – handling personal data on behalf of clients.
For controllers of data, GDPR gives clearer guidance and is more explicit and defined. The new piece that is causing sleepless nights and headaches in many boardrooms is around processor duties, explains Weinholdt. “These responsibilities were previously covered by contractual agreements between commercial parties, and were not subject to government statute. It presents a new liability.”
Now, processors who deal indirectly with other parties’ customer and personal data are mandated to implement “appropriate technology and organisational measures” to protect these data. The main source of confusion is not about any technical provision of security, but the huge difference to the way that commercial and operational risk must now be calculated, says Weinholdt.
The big questions are: Who is paying for this? And who is deciding what is deemed to be “appropriate”? Previously, the client determined what security and protection was appropriate or necessary, leaving the supplier to price it up and implement. Now that GDPR has introduced a statutory obligation on suppliers to maintain privacy of third-party customer data, there is a tussle about who should pay for this.
Cyber security comes with a big price tag, and so there are some serious negotiations going on in boardrooms about who foots this very substantial bill. A flow-down of obligations along the supply chain is replacing contractual requirements. Suppliers are suddenly finding themselves directly subject to GDPR, prompting huge discussion. At present there is no guidance from the EU – it is silent in the matter.
GDPR and its amplified obligations has therefore prompted discussion along the entire supply chain, says Weinholdt, and this could have a silver lining. Paradoxically, while GDPR ushers in more explicit, statutory obligations, Weinholdt believes it will rely on greater trust and cooperation between players to secure citizens’ personal data.
“More than before, globalisation relies on supply chains that are flexible and quicker to respond – businesses have to turn on a sixpence, and swap components in and out fast. GDPR places a competing pressure on companies to make data protection measures transparent and introduces new controls, including the obligation to provide evidence of due diligence on demand.”
To cope with these competing demands, Weinholdt believes the contractual piece of the protection puzzle will become more detailed and granular. Companies who are processors under GDPR have to find ways to manage suppliers, customers and provision for their data protection more effectively, he says. “We will all introduce new systems and tools, to manage contracts faster because of GDPR and other drivers.”