“When there is an innovation, Americans make business out of it. The Chinese, a copy. As for us, Europeans, we make a regulation”, said Emma Marcegaglia, former president of the Italian employers’ federation. Because, indeed, Europe, falling behind when it comes to the digital economy, has created the GDPR in order to redistribute the roles up until then set by the GAFAs. However, what can we conclude four years having passed since its creation?
Although an international success, having inspired more than 60 countries, the GDPR is still a “paper tiger”. On May 25, 2018 when it was released, it was supposed to break the monopoly of the Big Tech by liberating personal data law. The GDPR has not yet delivered its promise and worse, it is in the process of making data protection look like a burden for companies, falling short from its promise to enable consumers’ and citizens’ emancipation. “The old world is dying, the new world is taking too long to appear and, in this chiaroscuro, monsters arise” said the Italian philosopher Gramsci. Well, this post-GDPR world is really taking too long to appear.
Indeed, despite 1.6 billion euros worth of fines, the GDPR is accused by the think tank “Digital Europe” of being a burden on the European economy of up to 2000 billion euros by 2030. The killer question then arises: in order to save the GDPR, should we lower its standards or invest in technology to make it easier to apply?
A management cost that increased by 100% in 2021
The toolkit for managing the GDPR has not really changed since 2018. Most companies use Excel to declare their data processing in the IS. Admittedly, there are SaaS tools which make the spreadsheet more design, but we remain using static, declarative tools and, most of all, not connected to the reality of the IS. It is clear that this is not convenient when it comes to monitoring and updating millions of datasets in hundreds of computer systems in real time. This creates version, modification and update problems and leads to a lot of manual work and endless Kafkaesque audits. All these inefficiencies have a cost for companies, estimated on average at $2.4M in 2021 for companies with more than 250 employees (each!), according to the CISCO Privacy benchmark, an increase of 100% since 2020.
The first generation of GDPR compliance tools and platforms for the 2018-2022 period has therefore not delivered on its promises. The conclusion is bitter: today, companies have neither an effective management allowing them to ensure real-time compliance and execution agility, nor reasonable costs.
“We have to move past the fear of being fined as the only driver of compliance. Investing in minimal GDPR compliance ultimately costs more in operational cost and manual labor. We must move towards personal data engineering, so as to make the GDPR a business opportunity to stand out before the competition and consumers.”
Indeed, the Cisco report cited above even shows that the ROI of a data protection approach is 190% in 2021.
Invest in DevRegOps for Continuous Compliance
Since May 25, 2018, there is a someone who frequently blocks tech teams from developing and deploying applications: the Data Protection Officer. Often with a non-technical background, the DPO questions what has been installed or developed, due to non-compliance with GDPR. The main problem is that the verification of GDPR compliance comes too late in the value chain, which creates great tension in IT teams. As General McArthur said “Lost battles can be summed up in two words: too late”
In line with the DevOps culture, which solved the problem between developers and Ops, or the DevSecOps which solved the conflicts between Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) with the famous “Shift Left Testing”, there is a solution to solve the conflicts between DPOs and CIOs: the DevRegOps.
It’s about making deployable code and data GDPR-compliant from inception to deployment. By doing GDPR compliance tests beforehand and not later, we are sure that compliance is respected from development to deployment, without hitches. The DevRegOps practice, the regulation in DevOps, makes it possible to be agile throughout the code and value production chain. It reports inconsistencies as soon as possible when changes are easy and inexpensive rather than at the end of the chain and ensures at all times that application processing complies with the GDPR by design.
Because data protection is now continuous, the DPO stops being a blocker and becomes a facilitator, organizer, someone who governs the data protection policy, implemented and decentralized in the tech teams and produced by the IT department. After continuous integration and continuous deployment, here we have continuous compliance, which allows you to abide by the GDPR while remaining agile.
Bridging the cultural gap between the legal department and the IT department
The first stage of DevRegOps is organizational. DPOs must democratize the GDPR subject with their IT teams and the CIO. There is an urgent need to decompartmentalize the legal and IT departments of companies. The latter still operate in sealed silos. A "Privacy Engineering" culture must emerge, one which brings together lawyers and developers in multidisciplinary teams or squads. This may put an end to the “developers” on one side and the “lawyers” on the other paradigm. We can take the example of companies that even have a role dedicated to DPO/Developer relations in order to democratize the GDPR in all business or IT applications of the company. The GDPR concerns the CIO as much as the DPO.
Budgets must also be better distributed between the DPOs and the CIO. The budget is often allocated only on one side which makes unilateral decisions without communication between the parties on the best solution to adopt.
Finally, it is important to know how to welcome and train a new generation of privacy engineers, true technical references for the DPOs within the CIO’s department on the decentralized application of the legal constraints of data protection. This is a crucial role, considering that 59% of privacy incidents come from an organization's own employees and 45% of those breaches come from intentional, but not malicious, behavior.
Making GDPR “Programmable”
The second phase of DevRegOps is technical. New tools must be given to developers and architects since they are the only ones responsible for the implementation in IT systems.
A programmable record of processing activity format: Declarative formats such as Excel can be replaced by a programmable machine readable file format such as UROPA, that is, machine-readable, interoperable and open source. The management of processing files is automatic, as the Swagger/OpenAPI format did for APIs.
Capturing from the IS in real time: by linking this “programmable” processing register with sensors directly installed in applications or company databases, any inconsistency between what is declared and the reality of IT systems is detected at any time. In an architecture that is now event-oriented, audits are in real time and rights requests are processed automatically, in a few seconds
Scaling up with AI: personal and sensitive data can be proactively detected thanks to dedicated AI algorithms. Their retention period(s), archiving and deletion are automatically managed according to the events generated in the IT system and the associated processing files.
Observability: “Shadow APIs” are open access points outside of any governance and are security breaches and sources of data leaks. Thanks to the latest observability technologies, it is possible to detect them, secure them and reintroduce them into the governance of the IT department.