It’s a paradox of the General Data Protection Regulation (GDPR) that, despite its raft of granular and explicit legal obligations, protection will ultimately rely on greater cooperation and trust. This is the opinion of Carsten Weinholdt, senior principal, global privacy and data protection at DXC, who speaks with a 20-year track record in compliance and data security.
Carsten leads the project to ensure that DXC is compliant with GDPR. He shared with me some of the compliance challenges giving him and other executives sleepless nights. As with many organisations in the digital world, under the GDPR DXC is both a ‘controller’ of data – responsible for its own employee data – and a ‘processor’ – handling personal data on behalf of clients.
For controllers of data, GDPR gives clearer guidance and is more explicit and defined. The new piece that is causing sleepless nights and headaches in many boardrooms is about processors’ duties, explains Carsten. “These responsibilities were previously covered by contractual agreements between commercial parties, and were not subject to government statute. It presents a new liability.”
Now, processors who deal indirectly with other parties’ customer- and personal data are mandated to implement “appropriate technology and organisational measures” to protect the data. “The main source of confusion is not about any technical provision of security, but the huge difference in the way that commercial- and operational risk must now be calculated,”says Carsten.
The big questions are: who is paying for this? And who is deciding what is deemed to be “appropriate”? Previously, the client determined what security and protection was appropriate or necessary, leaving the supplier to price it up and implement. Now that the GDPR has introduced a statutory obligation for suppliers to maintain the privacy of third party customer data, there is a tussle about who should pay for this.
Cyber security comes with a big price tag and so there are some serious negotiations going on in boardrooms about who foots this very substantial bill. A flow-down of obligations along the supply chain is replacing contractual requirements. “Suppliers are suddenly finding themselves directly subject to GDPR, prompting huge discussion. At present there is no guidance from the EU – it is silent in the matter.”
“The GDPR and its amplified obligations have therefore prompted discussions along the entire supply chain,” says Carsten, “and this could have a silver lining.” Paradoxically, while the GDPR ushers in more explicit, statutory obligations, Weinholdt believes it will rely on greater trust and cooperation between players to secure citizens’ personal data.
“More than before, globalisation relies on supply chains that are flexible and quicker to respond – businesses have to turn on a sixpence, and swap components in and out fast. GDPR places a competing pressure on companies to make data protection measures transparent and introduces new controls, including the obligation to provide evidence of due diligence on demand.”
To cope with these competing demands, Carsten believes the contractual piece of the protection puzzle will become more detailed and granular. He says companies who are processors under the GDPR have to find ways to manage suppliers, customers and provision for their data protection more effectively. “We will all introduce new systems and tools, to manage contracts faster because of GDPR and other drivers.”