PwC report: Technology’s role in data protection – the missing link in GDPR transformation
The EU General Data Protection Regulation (GDPR) delivers a fundamental change in how data controllers and data processors handle personal data. Instead of an ‘add-on’ or afterthought within business operations, protections for personal data will now have to be designed into the very fabric of data processing systems, meaning that entities will need to re-examine how they approach the use of technology in their organisations.
European data protection law has always been concerned with how technology operates. Indeed, the first proposals for harmonised, panEuropean laws were a response to technological developments. Legal instruments such as Council of Europe Recommendation 509 on human rights and modern scientific and technological developments (31 Jan. 1968) pinpointed with precision the risks to privacy that were posed by the technology revolution of the 1960s. Data protection laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights and freedoms.
Technology is, in other words, the principal problem that data protection law is trying to solve. As such, it is obvious that, as well as being the problem, technology must provide the solution. If entities are storing too much personal data, for example, technology needs to deliver delete, erase, de-duplication and minimisation functionality.
However, the way that data protection has operated in practice tells a different story and PwC’s experience in this area backs this up: despite technology being both the problem and the solution, technology systems have not been designed and deployed from the perspective of the requirements of data protection law. This is why we see so much debate over the retention and storage of personal data, so much confusion about the nature and whereabouts of personal data and so many technology-related cyber-security failures. From this perspective it might be said that the technology stack has been the missing link in data protection programmes over the years.
The underlying reasons for these issues will no doubt continue to be a source of debate, but one thing is certain: in the new world of the GDPR, where tougher and more penetrative forms of adverse scrutiny are likely, instances of technology failure will be harder to excuse.