While there is a requirement to employ a DPO, many companies are struggling to recruit the right person for the job. With this process many candidates are privacy experts with deep knowledge of regulatory matters, however they usually come from legal backgrounds and thus have no experience with technology and security, which is a skill lacking for enterprise data protection.
The effect of this is that a new job role is required – Privacy Operations, according to Amit Ashbel of Cognigo. He tells Digital Journal how this new discipline can facilitate cross-departmental collaboration and communication.
Digital Journal: Please can you briefly explain the origins of GDPR?
Amit Ashbel: The GDPR did not just appear out of the blue. Its first signs could be seen way back in 1995 when the European Data Protection Directive was adopted. In 2014, the European Parliament adopted the GDPR for the first time. In 2016 the GDPR was launched, and in 2018 it began to be enforced. The need for protection of privacy was always there, but the huge industry shift and technological advancements have made data more important and more abundant.
Governments now understand that it is their responsibility to protect personal data and therefore not only the GDPR but other regulations are being enforced globally. Some examples include the CCPA (California Consumer Privacy Act), Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act), and South Africa’s POPI (Protection of Personal Information). All these regulations address a very similar scope to GDPR and all attempt to ensure that organizations leverage data responsibly while keeping the consumer’s privacy in mind.
DJ: What have businesses had to do to meet the GDPR requirements?
Ashbel: Data-driven businesses have had to adapt to GDPR by making sure that they have full visibility into all their data. The challenge for organizations is that personal data nowadays is everywhere. It can be in a database, but it is mostly spread across shared drives, workstations, Cloud storage services, file servers, applications and anywhere else where documents can be stored.
Organizations are exposed to a very small percentage of the data they collect, and discovery of all that data is one of the most important tasks required for GDPR compliance. That said, organizations can look at the GDPR requirements as an opportunity to build and grow on their data. Businesses already make decisions based on the data they manage. Increasing the ability to identify all data within the organization will not only help protect it, but also help the company make better business decisions.
DJ: You’ve said that businesses are struggling to get Data Protection Officers in place. Why is this?
Ashbel: This might actually be the core of where the Privacy Ops discipline can solve many issues. DPOs are tasked with ensuring that data privacy is enforced. In many cases, the DPO will be a legal entity who will not necessarily have the technical expertise to be able to choose, implement and manage technology-based solutions for privacy enforcement. This is where organizations may struggle in finding the right fit for the position. There needs to be a connecting unit between the technology and privacy teams.
DJ: How can technology assist with this new paradigm?
Ashbel: Most data protection tools rely on manual processes and pattern matching to detect data at risk, but data is inherently as complex as the systems and people who create it. The good news is that breakthroughs in artificial intelligence, and specifically in the field of natural language processing (NLP), are able to automatically locate personal information and the context in which it resides. The new technology allows companies to locate personal information at risk, and apply the appropriate measures to protect it – in minutes, which significantly reduces the manual effort and resources required.
DJ: Who are the most promising technology providers?
Ashbel: We see ourselves as very unique in the landscape of technology providers because we cover the whole range of data (structured and unstructured) across all data silos (Cloud, workstations, file servers, databases, CRM, etc.) without the need for human intervention. To the best of our knowledge, no other solutions provide the full scope or mature Cognitive Computing-based technology that is crucial in complex data environments.
DJ: Why is cross-departmental collaboration important?
Ashbel: It is important when there is no single source of truth. If you need to provide a customer with a data subject report, you will have to collaborate with a variety of teams within the organization to make sure you have all the information required. This process may take months. However, once technology and privacy collaborate, you can reduce the time spent by making sure that all organizational data can be mapped and governed via a single location.