The Journey to Code: one year on

October 09, 2019

0 comments

by Stewart Room Partner; Global Head of Cyber Security and Data Protection Legal Services; UK Data Protection National Lead

Email +44 (0)7711 588978

This time last year I published my first blogs about ‘The Journey to Code’, to set out my sense of the likely trajectory of Data Protection (aka ‘Data Privacy’) over its next cycle of development.

The central idea within The Journey to Code is that Data Protection ‘outcomes’ need to be re-balanced more towards technology and data themselves, rather than being overloaded towards paper and people. In my opinion, The Journey to Code will help to deliver the Privacy by Design agenda.

Why The Journey to Code?

There are three ideas here.

First, in the Digital World and in Cyber Space, where the bulk of the Data Protection issues reside, there is a single, universal truth, which is Code. Code is the DNA of Digital and Cyber; technology is run by Code and data is created by Code; data processing, the activity that is regulated by Data Protection law, is performed or facilitated through Code.

Second, when the origins of Data Protection law are considered, which are nearly 50 years old, its quickly discovered that they stemmed from a fear of technology fuelled by personal information delivering a propaganda and surveillance society. Therefore, it must follow that if tech and data are the sources of concern, they must also be the sources of the solution. This means that Data Protection solutions must ultimately be Code-based, or supported by Code. The fact that a propaganda and surveillance society has been delivered only adds to the sense of urgency around the need for Code-based solutions.

Third, when the essence of business transformation is distilled down to its core ingredients, it becomes apparent that transformation must occur across three layers of business, namely the paper layer, the people layer and the tech and data layer. Thus, if Data Protection compliance requires a business transformation exercise, which it generally does, then it must require outcomes to be delivered in tech and data and ultimately through Code.

Rebalancing Data Protection outcomes towards tech and data

The Journey to Code does not reject the idea that the delivery of Data Protection outcomes needs results in the paper and people layers of business. Of course not, as that would be to deny the basics of business transformation and many of the legal principles within Data Protection law itself.

Instead, The Journey to Code predicts a re-balancing of effort, away from paper and people, and more towards tech and data. This concept of re-balancing is key, so as well as having a focus on tech and data, The Journey to Code embraces current and conventional thinking about policies, procedures, notices, registers and contracts (i.e., paper, which may be physical or electronic) and governance models, roles and responsibilities and education, training and monitoring (i.e., the people layer).

The point at the heart of The Journey to Code is that insufficient efforts are being made in the tech and data layers of business, which cannot be right, due to the three ideas discussed above. This sub-optimum status quo perpetuates Data Protection risks and contributes to a drag on innovation and economic growth.

The Journey to Code in practical situations

There are many kinds of Data Protection risks, but in a thematic sense there have been two dominating risk issues over the past decade or so, namely security and data-driven marketing. Both topics have many subsets of issues within them, which throw-up myriad scenarios, so they provide fertile ground for practical case studies that help to point the way towards and along The Journey to Code.

For example, in the noughties, one of the dominant security themes was encryption of mobile devices and data in motion. Encryption became to be seen not only as a defacto mandatory security measure as a matter of law, but as also having de-regulatory effect, as illustrated by various laws on breach notification and reporting that exempt unintelligible data from those transparency obligations. This was a Code-based solution to critical problems. Security has followed The Journey to Code.

But what is happening in the data-driven marketing space? Well, if we take the idea of AdTech, there have been a raft of major developments recently, including very significant decisions by the EU Court of Justice, the UK Court of Appeal and various national regulators, which reveal major concerns about how the AdTech industry is operating. Due to AdTech being a tech and data issue, the solutions to the Data Protection problems arising cannot be built simply around paper and people. The DNA of AdTech - tech and data - will need to take up much more of the responsibility for delivering the required Data Protection outcomes. Like security, AdTech has to follow The Journey to Code.

It’s a journey, not an overnight change, and it will take time

The Journey to Code does not anticipate an immediate jump from the current paper and people-dominated state of Data Protection to a coded-state overnight. The Journey doesn’t anticipate that everyone will become Coders. Instead, the emphasis lies on the word ‘journey’, an iterative process that takes place over time and that gets closer and closer to the coded nirvana with each step taken.

This means that there are absolutely no barriers to The Journey to Code being followed by any person, or any organisation, at any point in time. J2C permits of countless first steps, none of which will be wrong. For example, setting up a cross-functional network of professionals within the organisation to bridge some of the gaps between the paper, people and tech and data layers of business could be a sensible first step on The Journey in many situations. Likewise, The Journey could be pursued in a thematic sense, as in the security and AdTech senses discussed above, or perhaps by reference to business processes, or technology roll-outs. As long as The Journey progresses in a way so as to re-balance focus and efforts more towards tech and data outcomes, there is no correct or incorrect starting point.

PrivacyTech: what is available now, as part of the state of the art?

However, there are many ways in which The Journey to Code can be quickly accelerated, because there are already many tech and data solutions on the market that can deliver better Data Protection outcomes. These are coming together as a ‘PrivacyTech’ community, sometimes sitting within the RegTech community, but there are no hard and fast rules on how they should be categorised.

Within The Journey to Code, I see a major role for a Technology Reference Architecture (TRA), which builds around a core PrivacyTech value chain that connects to and interfaces with the wider tech and data landscapes in the Digital World and Cyber Space. The basic building blocks of the core value chain within the TRA are

  1. Privacy Management technologies, involving GRC and workflow capabilities;
  2. Data Insight technologies, involving data search and analytics capabilities; and
  3. Privacy Enhancing Technologies, which provide the principles and rights-based outcomes at the heart of Data Protection.

These technologies are already on the market and they can provide organisations with scalable accelerators for their Journey.

The law on PrivacyTech: ATOM, Privacy by Design and the state of the art test

By delivering Data Protection outcomes in tech and data, the organisation also delivers legal compliance. Moreover, it is possible to interpret some laws so as to create defacto mandatory requirements to go on The Journey and to consider PrivacyTech solutions. For example, in the EU the GDPR requires Data Controllers to ‘implement appropriate technical and organisational measures’ to ensure compliance with the law, which can be fulfilled through a Privacy by Design approach, which itself requires Controllers to take ‘into account the state of the art’. These requirements can meld together to create positive obligations for organisations to consider PrivacyTech solutions. As such, the GDPR, like many laws compels business to go on The Journey to Code.

by Stewart Room Partner; Global Head of Cyber Security and Data Protection Legal Services; UK Data Protection National Lead

Email +44 (0)7711 588978