The GDPR countdown continues and at PwC we're expecting September to bring a rush of new requests for support, as people come back from their summer holidays fully recharged and ready to tackle their programme to do lists.
Over the summer we have been preparing our people for what could be a surge of inquiries, so that we can maximise the support that we can give, but what are we expecting to see?
There were some noticeable trends over the summer, which I thought would be worth highlighting.
Internal Audit (IA)
There was a clear uplift in the number of inquiries for IA support. This is significant, as it shows that some programmes are starting to mature to the point of needing validation and testing, which for the organisations concerned is a very positive step.
Critically, it also means that GDPR is now residing on corporate risk registers, because generally the IA cycle is closely connected to the content of those registers. This is good news for Article 5.2 and 24 compliance (accountability and risk).
Programme Assurance (PA)
Programme Assurance is concerned with understanding whether the set-up of the programme is optimised (vision and strategy; governance; requirements and metrics) and whether delivery of the programme is on track, as measured against the programme requirements and metrics. The uplift in requests for PA support is connected to the uplift in IA requests, indicating that programmes are maturing, in the sense of where they have got to on the transformation journey. Again, for the organisations concerned this is very good news and it will help them with their Article 5.2 accountability requirements.
During our exploration of our clients' requests for IA and PA support, we've noticed a very interesting new trend, which we are calling 'Second Opinion' requests. What's going on is that some organisations are asking for a second opinion on whether the right programme choices have been made.
The focus of these second opinion requests differs from IA and PA in a very significant sense, in that neither IA or PA are concerned with the quality of the choices that have been made on the actual programme priorities and content.
There are many reasons why a second opinion is sought, but the primary motivation is that doubt has crept into the minds of people in the programme, or around it, about the direction of travel. This has been described to us as a 'nagging doubt'.
But what is triggering nagging doubt? Again, there are a number of factors, but a couple are worth pointing out.
First, the zone of responsibility for data protection is rapidly expanding beyond the traditional confines and boundaries of the Data Protection Officer, Chief Privacy Officer and Legal. This brings new perspectives, and people who are willing to - and able to - provide meaningful challenge to the conventional thinking. A discrete example of the point concerns the 'risk-based approach', which means different things to different people. Some clients are expressing concern that the advice that they have been receiving on risk might not be complete, because their advisors' understanding of risk isn't complete.
Second, the churn of Data Protection people is causing understandable doubt in some organisations about the programme choices that have been made. Many organisations are losing their GDPR programme drivers and vision owners to other organisations who are offering 'bubble money' (inflated salaries due to a market bubble that has emerged around GDPR) and it's only natural that they will want a second opinion, because the people behind these programmes won't be there to defend their former organisations and colleagues in the event that they are put under adverse scrutiny. I've heard it expressed that as the Data Protection leader exits the building, they are leaving others to 'hold the baby'. Not surprisingly, confidence can be undermined in these situations.
We've started to notice an increase in awareness of the litigation risks involved in getting data protection wrong. My sense is that organisations are starting to wake up to the fact that there there is much more to GDPR than a risk of fines. Connected to this, we've also started to detect a new focus on Personal Data Breach notification, with organisations starting to think afresh about how they will handle things going wrong.
PwC support & GDPR Bootcamp
PwC's global, multi-disciplinary practice can provide GDPR support anywhere in the world. If you would like to join our monthly GDPR Bootcamps, to find out more about current trends and how organisations are tackling the GDPR, please make contact.