GDPR下监管科技的设计挑战（英文版）.pdf

Design Challenges for GDPR RegTech Paul Ryan a , Martin Crane b and Rob Brennan c Uniphar PLC, ADAPT Centre, School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland paul.ryan76mail.dcu.ie, martin.crane, rob.brennandcu.ie Keywords: GDPR, Compliance, Accountability, Data Protection Officer, RegTech. Abstract: The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations. 1 INTRODUCTION In May 2018, the European Union (EU) introduced the GDPR. This regulation brought a high level of protection for data subjects, but also a high level of accountability for organisations (Buttarelli 2016). The GDPR principle of accountability requires that a data controller must be able to demonstrate their compliance with the regulation (GDPR Recital 74). This requires an organisation “to act in a responsible manner, to implement appropriate actions, to explain and justify actions, provide assurance and confidence to internal and external stakeholders that the organisation is doing the right thing and to remedy failures to act properly” (Felici, 2013). Organisations can be complex entities, performing heterogeneous processing on large volumes of diverse personal data, potentially using outsourced partners or subsidiaries in distributed geographical locations and jurisdictions. A challenge to complying with the accountability principle of the GDPR for organisations is demonstrating that these complex activities and structures are meeting their regulatory obligations. The organisation must a orcid/0000-0003-0770-2737 b orcid/0000-0001-7598-3126 c orcid/0000-0001-8236-362X implement appropriate policies, procedures, tools and mechanisms to support their accountability practices (Felici, 2013). Many organisations appoint a Data Protection Officer (DPO) to assist in this process. Bamberger describes the role as “the most important regulatory choice for institutionalising data protection” (Bamberger, 2015). In practice the DPO is the early warning indicator of adverse events when processing personal data within the organisation (Drewer, 2018). The DPO must have “professional qualities and, in particular, expert knowledge of data protection law and practices” (GDPR Art 37). This challenging role requires the DPO to monitor compliance and advise the organisation accordingly. The DPO acts independently of the organisation to assess and monitor the consistent application of the GDPR regulation and to ensure that the rights and freedoms of data subjects are not compromised (Article 8, EU charter). The role of DPO encompasses a dynamic motion of policy generation, staff training, business process mapping and review, compliance record keeping, audit, data protection impact assessments, and compliance consultations (Drewer, 2018). The constant pace of business change allied with evolvinglegal interpretations require constant vigilance on the part of the DPO and create additional challenges for accountability. Fundamentally, it is the organisation, and not the DPO, that must be able to demonstrate that it is meeting the threshold that is the accountability principle. There are many solutions available to DPOs and organisations to help meet this challenge of demonstrating compliance to the accountability principle. This paper will evaluate the range of available tools, such as: privacy software solutions from private enterprise vendors, maturity models and regulator self- assessment tools. Despite the many GDPR compliance tools available, this paper will highlight that the majority fail to meet the accountability principle. Most are not supported by published methodologies or evidence for their validity or even utility. They lack the ability to integrate or be integrated with other tools and the level of automation and innovation in this space has also been limited. In contrast, RegTech has emerged as a framework for automating regulatory compliance in the Financial Industry. The “Global Financial Crisis (GFC)” of 2008 prompted financial regulators to introduce new compliance regulations (Johansson, 2019), resulting in significant compliance challenges and compliance costs for organisations due to the complexity of these regulations. Strong data governance and mapping regulatory compliance provisions into software code (Bamberger, 2009) to facilitate regulatory compliance has been enabled by developments such as process automation, the digitising of data, the use of semantic methods and machine learning algorithms. RegTech uses such tools to efficiently deliver compliance and risk reports in integrated toolchains. The evolution of RegTech has shown that information technology can be used to support automated or semi-automated regulatory monitoring and reporting of compliance (Arner, 2017). This paper proposes challenges for realising a RegTech approach to GDPR compliance whereby organisations leverage modern information technology to improve the organisational and external visibility of their GDPR compliance level. This approach requires automated data collection from relevant sources throughout the organisation and monitoring via GDPR compliance evaluation functions that could provide interoperable and machine-readable compliance metrics or reports for the organisation, suggested compliance actions and root cause analysis of compliance issues, using agreed data quality standards such as ISO8000. The role of monitoring, analysing and reporting the GDPR compliance status in an organisation is the task of the DPO. A RegTech approach to GDPR compliance could provide the DPO with the ability to track organisational compliance progress, identify areas of compliance weakness and benchmark their performance against other organisations. This would greatly enhance an organisations ability to demonstrate and improve compliance and thus meet the GDPR accountability requirement. Section 2 will discuss the accountability principle and what it means in practice to an organisation and the challenges they face to meet the accountability principle. The role of the DPO, and their part in compliance will be discussed in detail from the perspective of a practising DPO. Section 3 reviews the current approaches to GDPR compliance and critiques the many available offerings such as private enterprise software solutions, maturity models and self-assessment checklists. Section 4 examines the financial Industry to see how RegTech is enhancing compliance using data driven solutions. Section 5 describes the challenges that must be faced in developing the next generation of GDPR compliance tools based on RegTech and documents the requirements that a DPO would require in such tools. Section 6 will introduce a proof of concept where a Data Protection Regulators self- assessment checklist has been utilised based on RegTech best practice, to provide a simple efficient method to demonstrate GDPR compliance and meet the requirements of the accountability principle. 2 THE GDPR ACCOUNTABILITY - A VIEW FROM THE DPO In this section, this paper will discuss what the accountability principle of the GDPR means to organisations. The paper will look at the challenges that organisations are facing with demonstrating that they are meeting these obligations and it will discuss the role of the DPO in this process. The Anglo-Saxon word “Accountability” has a broadly understood meaning of how responsibility is exercised and how it is made verifiable (Article 29 Working Party, 2010). Accountability can be viewed to be an expression of how an organisation displays “a sense of responsibilitya willingness to act in a transparent, fair and equitable way” (Bovens, 2007) and “the obligation to explain and justify conduct (Bovens, 2007). The GDPR accountability principle requires a data controller “implement appropriate andeffective measures to put into effect the principles and obligations of the GDPR and demonstrate on request” (Article 29 Working Party, 2010). In 2018 the Centre for Information Policy Leadership (CIPL) developed accountability-based data privacy and governance programs to encompass the key elements of accountability as described in Fig 1. Figure 1: The Accountability Wheel Universal Elements of Accountability (CIPL, 2018). In practice, this can be viewed as “setting privacy protection goals based on criteria established in law, self-regulation and best practices and vesting the organisation with the responsibility to determine appropriate, effective measures to reach these goals” (CIPL, 2018). This is quite a challenging task for a data controller when you are dealing with a substantial legal text like the GDPR. There is a “lack of awareness of their obligations and duties in relation to personal data protection, it is urgent to define a methodology to be able to comply with the GDPR” (Da Conceicao Freitas, 2018). In theory, the GDPR provides for certification methods in article 42 and 43 of the GDPR to assist a controller in demonstrating compliance. However, in practice this has proven to be a challenge for organisations as the European Union has not approved any Certification body to certify compliance (Lachaud 2016). In fact, there are views being expressed that the GDPR certification process cannot be successful. (Lachaud,2016). Many organisations appoint a DPO to assist with their GDPR compliance, however it is important to note that the demonstration of compliance obligations ultimately rests with the controller (organisation) and not the DPO. The role of DPO within the organisation covers a wide range of tasks as prescribed in Article 39 of the GDPR. The main tasks are to monitor, inform and advise the controller or processor regarding compliance with the GDPR, to provide advice such as data protection impact assessments, to provide training and awareness raising and to co-operate with and act as a contact point for the supervisory authority. The role of DPO requires a broad set of skills in GDPR legal compliance, and a detailed knowledge of business processes (Drewer,2018). The DPO works with numerous stakeholders such as data subjects, employees, processors and regulators and provides consultancy and guidance on business processes. The role involves a broad spectrum of activities from maintaining a register of processing activities to dealing with data breaches, to completing data protection impact assessments. The DPO must have visibility of all activities and monitor and report compliance to the highest level in the organisation (see Fig.2). The DPO is in essence “privacy on the ground” (Heimes, 2016), in that the DPO is the early warning system for GDPR compliance within the organisation (Drewer, 2018). The challenge for the DPO is how to demonstrate that the organisation is accountable and can demonstrate GDPR compliance. Main contact with regulator Staff training Data Processors Data Protection agreements Board Data retention Data Subject Consent International Data Transfers Cloud storage Data Breach Business Process: Risk impact assessments Privacy by design assessments Subject access requests Register of processing activities Policies and Procedures Advise & Inform Figure 2: The breadth and complexity of the role of Data Protection Officer (Source Author). 3 CURRENT APPROACHES TO GDPR COMPLIANCE This section discusses the broad range of tools and methods that are available to DPOs to demonstrate the GDPR compliance of their organisation.3.1 Private Enterprise Software Solutions There has been a call for tools and methods to assist organisations in meeting their GDPR compliance obligations (Piras, 2019). This is being met by large financial investments by venture capital companies with over $500 million invested in privacy related start-ups around the world in 2017 (IAPP, 2019) There are over 263 vendors offering privacy software tools to organisations (IAPP, 2019). These software solutions come in many forms ranging from simple questionnaires and templates to solutions that focus on individual aspects of compliance for GDPR such as website scanning for use of cookies. The main categories of these privacy tools are as follows (IAPP, 2019): Activity Management control and monitor access to personal data Assessment Managers - automate different functions of a privacy program, locating risk gaps, demonstrating compliance Consent managers - help organizations collect, track, demonstrate and manage users consent. Data discovery determine and identify personal data held Data mapping solutions - determine data flows throughout the enterprise. De-identification pseudonymisation tools Secure Internal Enterprise communications Data Breach Incident response solutions Privacy information managers - provide latest privacy laws around the world. Website scanning catalogue cookies Table 1: Privacy software tools, number of vendors per category (IAPP 2019). Privacy Product Category No. of Vendors offering this service Activity Monitoring 86 Assessment Manager 105 Consent Manager 82 Data Discovery 94 Data Mapping 117 De Identification/Pseudonymity 46 Enterprise Communications 39 Incident Response 63 Privacy Information Manager 73 Website Scanning 30 Whilst there are a variety of privacy software solutions being offered by vendors, as displayed in Table 1 “there is no single vendor that will automatically make an organization GDPR compliant (IAPP 2018). In fact, most solutions on offer from private enterprise cover 3 or less categories, see Figure 3. Figure 3: No. of privacy product categories offered by no. of vendors. An accountability framework requires a comprehensive approach to compliance across the organisation. Whilst these software solutions go some way towards the demonstration of compliance, the author has identified several weaknesses in these private enterprise software solutions, as follows: They are not supported by published methodologies or evidence to support their validity or ev