Navigating the compliance storm: Talend on tricky GDPR issues and how to solve them

As GDPR celebrates its one-year anniversary, we sit down with Talend senior director of data governance Jean Michel Franco to talk about where organisations are still going wrong and how things are likely to change.

At the end of May, the European Union celebrated the one-year anniversary of its famed data privacy framework for regulation, GDPR. For EU consumers, GDPR represents a major win by giving them more rights when it comes to the use of their data by private and public entities -- stipulating that things like withdrawable consent and data portability are employed by organisations looking to harvest that data.

It has also helped to educate consumers of the extent of their rights, with many consumers in the past holding an ignorant, ambivalent, or apathetic attitude towards their rights to privacy in the digital realm. Consumers have had somewhat of an awakening - not at all hindered by Facebook's Cambridge Analytica scandal - leading them to embrace their rights in droves mere months after the GDPR went into effect.

For the enterprise though, GDPR was not met with such warm attitudes. Many organisations would ardently describe their journeys toward GDPR compliance as nightmarish, especially for those who process large amounts of personal data. While many B2B businesses thought they weren't going to be affected as much by the EU's regulatory masterstroke, they were surprised to find that there are indeed many priorities that they must work through in order to achieve compliances. This is a constant, ongoing process and Data Protection Officers (DPOs) will never really be able to let their guards down, especially if organisations just pile the impetus upon them without assigning much responsibility elsewhere.

The challenges that GDPR has presented organisations have been - at times - incredibly steep, leading many to simply fail at their compliance obligations. While fines haven't been particularly damaging to this point, aside from Google's huge €50 million fine, there are a few elements signalling a potential change in this state of affairs, with regulators indicating that an increase in larger fines could be imminent.

To talk about the current state of GDPR and what organisations are still struggling with, we sat down with Talend senior director of data governance Jean Michel Franco. Franco identifies a couple of key pain points that are relevant for a wide-range of organisations, while also discussing some of the things that organisations have done right and where he thinks we're headed going forward.

Should compliance be a top-level priority for organisations at the moment? Do you think that is currently the case?

Compliance should be an absolute priority for organisations, because the costs of non-compliance are potentially extremely high. The GDPR was partly designed to swing the balance of power back in favour of consumers and their data, so it makes sense that we are seeing more cases of firms being held accountable under this legislation. As the media spotlight on GDPR breaches grows, businesses will be aware of the plethora of negative impacts caused by a privacy violation.

With respect to data privacy, there is a misconception that this is all about regulatory compliance. When you look at what's happened since GDPR entered into effect, the number of fines is limited. But, meanwhile the numbers of data breach notifications and complaints for data breach notification have exploded and have risen by thousands. Non-Governmental Organisations such as NYOB, Privacy International and Quadrature du Net have launched group actions that are on the regulator's radar. Companies are realising that this is a customer trust challenge, not only a regulatory challenge.   

In order to build and grow customer relationships, organisations will have to honour the contract they are making with customers. As with any contract, this is more than a legal requirement, it's about building a trusting relationship. This is a vital distinction. Trust is a pivotal aspect for businesses today and in the future. If you do not have a contract that your customers like or trust, customers will begin to withhold their data. This is why we are seeing the likes of Google and Facebook announcing concessions to privacy now.

What are some of the main challenges that organisations are still working through when it comes to GDPR?

Following the introduction of the GDPR legislation last year it is worrying to see that so many firms are still failing to comply, especially with requests to their customer's and employee's Data Access Rights.

In most, if not all, firms there is some form of GDPR project underway. As part of the journey to compliance, many firms have employed Data Protection Officers (DPOs) to ensure they are meeting the complex requirements of the GDPR. But results don't lie, and studies show most firms are still failing to comply with the GDPR - for example by being unable to provide a customer's personal data within the required period when requested. The causes of this failure are varied but there are two main reasons for the lack of compliance: the role of the DPO and a business's IT systems.

In many cases just hiring a DPO is not enough, there is masses of data and often thousands of requests which for one person is an extremely large task. The DPO is often overwhelmed and bombarded with requests, such is the scale of the task at hand. Firms are moving in the right direction, but they still lack the organisation and resources to meet requests and ensure compliance.

When an individual asks for their data, providing it should be simple, but many firms are not yet ready to handle these types of requests, often lacking the automated systems and organised data that would enable a smooth, quick and simple process.

Businesses need to ensure they have in place the systems, the people and the resources to meet the growing number of requests and to work though the volumes of data available - otherwise they risk significant fines for non-compliance.

What message have the fines sent to organisations (i.e. Google's €50m fine)? Do you think these have changed the way that companies look at GDPR?

In the run up to the GDPR's first year anniversary we saw increasing media attention on the big data privacy violation. We saw Google fined a record 50 million euros under GDPR by the CNIL and in Ireland, 16 companies are under investigation, including Facebook, LinkedIn, Twitter to name a few. Facebook having already been fined £500,000 by the UK data regulator, the ICO, for the Cambridge Analytica debacle, and now faces a possible multibillion-dollar FTC fine in the US for data privacy violations.

With so many users of these platforms, complaints are likely to stack up with regulators, who may then feel compelled to act. The onset of the GDPR and the increasing focus on data privacy violations and the misuse of data could create a vicious cycle, where every penalty issued leads to more attention and more possible legal and enforcement action.

However, it is interesting to see the changes underway in the US currently. Traditionally a country rather reluctant to legislate in the field of data protection, the US is now one of the nations where, at a political level, more and more voices are calling out for laws to govern the use and protection of personal data. In fact, these voices can even be heard inside the offices of the biggest tech giants in Silicon Valley.

Google's brush with data regulators should also ring alarm bells for all UK companies - big and small - regarding the proper management and governance of the personal data they process. There is still a lot of work to be done in this area, especially in ensuring compliance with the GDPR. This must involve a cultural shift towards data privacy where organisations do not take user or customer trust for granted. Compliance should not be the end goal in and of itself. Instead, companies have to nurture relationships with their customers in which data transparency and trust are central pillars. This is crucial from both an economic standpoint and for the customer experience - especially within a digital, data-driven world.

Is there anything organisations have handled or implemented particularly well? (i.e. what have they done right?)

With consumer trust towards data protection dwindling, more and more businesses will be scrutinised over the data they collect and how it is stored and used, with the potential for huge fines for wrongdoing under the GDPR. This means companies must be smarter about the data they choose to process and how it is used to improve the services they provide to consumers.

Firms are working in the right direction, they are employing DPOs and working on aligning their data to ensure that the customer's rights are respected. Here, data management - knowing exactly where your data comes from and where it goes - is critical. Businesses also need to protect data and anonymise it across all information systems by applying techniques such as data masking.

With the implementation of GDPR, consumers are also benefiting from extra transparency, and the firms that are succeeding with their implementations are those which are open and embracing transparency. Transparency allows firms to foster trust with their consumers and helps them build a stronger relationship in the long term. If organisations show consumers respect with regards to the handling of their data, this will certainly provide a competitive advantage in the form of additional trust and loyalty.

Have organisations gotten any better at becoming GDPR compliant or is there still a lot of work to be done?  What is the outlook going forward?

Along with the latest GDPR violations and a large fine for Google in France, our research reveals that 74% of UK organisations are failing to respond to personal data requests. It's clear that, when it comes to GDPR, Data Subject Access Rights is the Achilles' heel of most organisations. Despite it being very easy for anyone to check, most organisations don't comply. There is a great deal of work to do in this area. A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data.

The focus continues to be on data privacy violations, but another facet to GDPR compliance which is often overlooked is the failure of organisations responding to subject access requests, which are an important part of the GDPR. It's quite simple. GDPR is a contract between a business and a customer, detailing how it plans to store, manage and use personal data. As with any contract, this is more than a legal requirement, it's about building a trusting relationship. This is a vital distinction. Trust is a pivotal aspect for any businesses going forward. If you do not have a contract that your customers like or trust, customers will begin to withhold their data.

The way the contract is presented to customers is extremely important. Businesses need to ensure this is done fairly and in a way that breeds trust. They need to ensure when customers request their data they can meet this request in a timely manner but also in a way that is easy for the customer to understand what they are being shown.

In today's digital society, customer experience, loyalty and trust are vital revenue drivers for businesses. Better than personalisation, organisations must build relationships with customers. To achieve this, businesses should embrace a variety of methods that strengthen the trust between customers and businesses. This includes updating traditional T&Cs to become more user-friendly, and also allowing customers to control their data through personalised access portals.

How will upcoming political and economic shifts - such as those presented by Brexit - affect compliance priorities when it comes to GDPR?

Whether the UK leaves the EU with or without a deal, UK businesses will still have a need to comply with the GDPR if they continue to process EU citizen data and trade with EU nations.

With the explosion of the cloud, the exact storage location of data has become obsolete, and data is increasingly portable. Through EU-wide consistent regulation, data portability was a relatively simple activity. However, with moving borders and changing economies, the weight of regulation is increasing in the digital economy and data portability becomes a critical issue. With varying business rules companies need to be able to centralise, locate, relocate and distribute their data in accordance with specific country rules.

But with increases in data portability there must also be clearer regulations on how to handle that data once it has been moved or shared with additional parties. This is not only pivotal for consumers who want to know where and how their personal data is being used, but also for companies who need to be able to move data when they want and know at any time where the data is located.

Ensuring we take control of data in this uncertain time is fundamental to success. Firms must act as data stewards to make sure data is used, stored and shared in a way that does not lead to the misuse of data by unauthorised third parties.

Overall though, now that we are mid-way through 2019, businesses must ask themselves if they are complying with the full extent of the GDPR provisions. The added pressures of Brexit and data sovereignty issues add extra elements of concern to an already complex data landscape. Businesses must do more to regain the trust of their data subjects and be aware that they risk very significant fines and further reputational damage in the event of non-compliance - both of which could prove potentially fatal to businesses.