2017-08-21

GDPR & Digital Transformation - What do they have in common?

At first sight nothing – you would say, except perhaps that both of them, the General Data Protections Regulation and the change imperative digital transformation, are currently hot topics in the public professional debate. And I would even agree – at least at first sight.

When digging a bit deeper into the very nature of both concepts, the necessary preconditions, the resulting effects, we might feel compelled to paint a different picture. There might even be a common layer of overarching or underlying principles both concepts need to follow in order to be successfully implemented.

Digital Transformation

Much has been written about this fashionable term – not least by myself. So I will spare you elaborating at length and in depth about this topic. Let’s just focus on some characteristics to be further discussed in the course of this article.

Here we define digital transformation being a transformation of a business aiming at a competitive advantage in its market by profoundly making use of latest digital technology.

By latest technology we mean such, which has sufficiently matured to be seriously considered with acceptable risk as a foundation for the new transformed business.

Like in the past this approach rarely results in re-inventing the business totally, rather more often than not it boils down to the automation of processes, previously done manually.

Nevertheless meanwhile some change has occurred, some kind of the often cited transition from quantity to quality:
  • Artificial intelligence, belittled for many years as a lab only technology, has grown up,
  • Advanced analytics, mature enough now for in-process decision taking,
  • Connecting ordinary “things” to the internet broadens the range of processes to automate
  • and some more
… have meanwhile evolved into powerful tools.

By automating most of the operational layer, making most of the management layer obsolete, adding a new breed of change agents instead, and requiring a much more technology aware strategy process, nevertheless the entire corporation may hereby undergo a fundamental transformation.

GDPR

The General Data Protection Regulation (GDPR) apparently is quite a different story.

The GDPR intends to strengthen and unify data protection for individuals within the European Union. It also addresses the export of personal data outside the EU. Citizens and residents benefit by getting back control over their personal data. For international business the unification of the regulation within the EU is a welcome side effect as it simplifies the regulatory environment.

The GDPR is driven by some major underlying Principles relating to processing of personal data as expressed in its Article 5: lawfulness, fairness and transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality, accountability.

While this sound fine and most of us might intuitively agree to it, for enterprises there is reason to be concerned, as the regulation opens a new compliance frontier. Some of its requirements represent rather new concepts like: 'privacy by design' and 'privacy by default', the right to data portability on request of the data subjects, explicit consent, minimal data, or the right to be forgotten, just to name a few .

Hence to comply with the regulation will require changes and enhancements deep in the practiced processes and implemented data structures. In addition regular risk assessments, called Data Protection Impact Assessments (DPIA) in GDPR, will become mandatory once you deal with ‘high risks’, e.g. sensitive personal data. Doubts are justified that both can be achieved within the few months left. But rather it may need years of maturing, at least when starting form a low level of process maturity – which can safely be assumed in the majority of cases.

The volume of the resulting activities too may not be neglectable as a recent OliverWyman survey of 1,500 British consumers, revealed that as many as half of the respondents said they were already leaning toward reclaiming their information.

Regarding the requirement to report a data breach to the supervisory authority within 72 hours, a recent survey illustrates this statement as it found that only 2% of responding companies actually appeared to be compliant, although almost half (48%) of the respondents reported that they were.

In most cases this discrepancy is not due to unwillingness but due to severe deficits in the mere underpinnings. Most often no data encryption is applied by default, may it be structure retaining (pseudonymisation or tokenisation) or not. No company-wide and cross-process identity concept implemented, no role-based or attribute based access management, no executable security policies are in place.

From the regulators perspective these all are elements of ordinary housekeeping which have to be in place to comply with GDPR. And as well they are a necessary precondition for any digital transformation.

GDPR may drive digital transformation. Why so? Let’s randomly take one of the requirements as a small however important example: As mentioned above GDPR obliges companies to report data violations within 72 hours. If they cannot prove that the data were encrypted and the private keys have been sufficiently protected, they will face a severe fine. As traditionally reliable end-to-end data encryption whether it is "at rest" or "in flight" was difficult to achieve and rather costly, new solutions need to be put in place: new processes, new software and most probably even new, specialized hardware. This might further drive the move towards cloud solutions, which in the end will turn out to offer a higher security than in-house solutions.

Thus we here have an example of GDPR paving the way for a further digital transformation, as vulnerabilities due to insufficient IT security measures are the major concerns, withholding the transformation towards truly digital corporations.

Data portability and the right to be forgotten also are examples where the data architecture has to follow a holistic identity concept. It has to include all kinds of stakeholders like customers, vendors and all parts of the workforce – not just employees, hereby inflating the data volume by several orders of magnitude.

Additionally the relationship to planned, on-going and past business activities and of legal obligations must be reflected here to be able to determine the purpose for which the data are actually held for and to effortlessly decide if the and be safely deleted.

The necessary defragmentation of the underlying data architecture and the explicit expression of relationships which to date are often only implicitly stated in no-related documents, too can be welcomed as an enabler for further automation

Conclusion

With only a few months to go GDPR seems to be by far more urgent to be taken serious than any digital transformation. This impression is strongly supported by the looming penalties of up to 4% of annual global turnover or €20 Million (whichever is greater).

Lagging behind the competition however is not much less of a threat. Market dynamics has increased considerably. While in the recent past it took about 20 years for a company to reach sufficient size for a considerable market visibility, today it can well happen after one year. Meanwhile the corporate average life span has shrunk to about 12 years. These numbers might give an impression that by missing the train in the realm of digital transformation might come with penalties in a similar order of magnitude.

There is definitely no time to loose. The good news however is: Doing both is not exactly double the work. There are several commonalities and reason to assume substantial synergies, when addressing both of them.

And by the way: Both have to be done anyway.

Further readings and references …