Believe it or not, up until late 2017 the majority of the companies seemed to be blissfully unaware of impending “doom” of the GDPR full implementation.
If you look at the Google Trends — you will notice a rapid growth of interest by January 2018. For the record, GDPR was adopted in May 2016.
In many ways, no one was really ready for the coming of the GDPR. While it was adopted way back in 2016 and there was a lot of time to prepare yourself — the majority of the companies didn’t bother up until the heat was around the corner.
While it can be written off to a general careless attitude that prevails in many technology-oriented companies — it is also absolutely mystifying why it took so long to realize that GDPR is the real and it is here to stay and you either adjust to it or go away with a somber solemn look on your face.
The entire process of implementation of the GDPR principles is a considerable challenge both for the companies and the users. Not only there is a lot to do in order to follow the guidelines, but there is a need to adopt certain practices that will ensure the exclusion of any possibility of a violation.
In this article, we will break down all the major challenges that come with the adoption of GDPR and describe its possible benefits for the companies and the users.
An overarching GDPR challenge for any company that uses personal data is the sheer scope of the work to be done in order to be fitting according to the updated guidelines. It is humongous and it needs very delicate and thorough approach.
Overall, challenges of implementing GDPR for the companies can be divided into technical and organizational.
Let’s break it one by one.
The imposing number of requirements that constitutes GDPR compliance is designed to increase accountability of those who process personal data. This is made specifically for means of making the whole process as transparent and trustworthy as possible.
You have to ensure that the policies for personal data usage, consent, rectification, access, deletion are composed according to the regulations.
Also, cooperation with the third parties under GDPR is considered a key risk and as such it must be reassessed and adapted accordingly.
You can read about the requirements in detail in our previous article.
The challenge lies in the fact that the entire GDPR thing is extremely process-driven. While it is designed to improve such practices as decision-making and risk assessment — GDPR also adds another layer to them and thus complicated the already complicated process.
One of the major challenges regarding implementation of GDPR can be considered an initial audit of the system. It may be an easy task if the company’s data is stored in one place. But that is not always a fact. The whole process is conducted through a stack of tools that helps to centralize data from different sources and subsequently monitor its use. Basically, it is a separate data management platform dedicated solely to security issues.
There are several key elements to determine during this operation:
- What data is collected?
- What are the sources of the data gathering?
- Where is the data stored?
- How is it used?
- Who has access to what data? For how long?
Next, you need to audit the way the company process in order to see which of them will be affected by GDPR. This will give you a picture of which elements should be changed in order to maintain steady workflow.
Basically, it boils down to three key elements:
- How is data encrypted?
- Is access to data sufficiently restricted?
- Is data trackable?
Preparing the team for GDPR might be a tricky thing. While the technical aspect is dependent on the clarity of the methods — it is way harder to teach people to follow the guidelines, especially such tangled ones as are in GDPR. It takes times and requires patience.
Your team needs to understand what it means and how it works and how it affects their working process. There must be clarity on the following issues:
- Data subjects AKA User rights;
- What information can be divulged under which circumstances?
- What kind of activity is permitted and what is not?
- What constitutes consent?
- What constitutes noncompliance?
Aside from that, GDPR compliance recommends the appointment of a Data Protection Officer (DPO) — whose responsibility will be to ensure that the company is operating according to the regulations. However, there is a question about the place of DPO in the company’s organization. DPO must report to the highest management of the company and must be absolutely independent in its judgment in order to maintain a balanced view of the state of things regarding Data Privacy.
GDPR significantly expands user’s rights over their personal data. One of the primary user’s instruments of influence over the use of personal data by the companies is a request. Because of the muddled nature of the data gathering — there will be a lot of questions from the users regarding the processing of their personal information. And it is better to know what to say in such cases (alternative for it is paying a fine which a little bit counterproductive for business).
The company must be ready to provide information on the following matters:
- Purposes of the processing;
- Categories of the gathered data;
- Involved parties to whom the user’s personal data will be disclosed;
- Approximate time frame over which personal data will be stored;
- Compliance with requests for correction, erasure or restriction of processing of personal data;
Anything regarding money spending is challenging. The coming of GDPR means that there must be a significant rethinking of the budget in order to include provide adequate maintenance of the data privacy and security operations.
The problem is that even though audit can help get the picture — there are still too many unknowns in the equation that can significantly inflate the budget over time.
Basically, the additional spending is aimed primarily at three elements:
- technology research;
- its subsequent implementation;
- human resources to do the job.
But companies are not the only ones who are going to be affected by the coming of GDPR. Users are going to get a significant kick of it too. The thing is — GDPR is the latest in the long line of privacy-related EU initiatives. In fact, the European Union has always maintained “consumer-first” approach regarding privacy.
However, this dedication to privacy and all round consent can be overwhelming and downright challenging for the users.
While knowing your rights may seem like a relatively simple task (wink-wink) — it is not exactly like that. In fact, it is a tough thing to do. Take a quick look at Chapter 3 of the GDPR document and read into what constitutes the rights of the Data Subject AKA user.
That’s a lot. Whole lotta rights to know. The challenging part of it is that the user needs to know under which circumstances he can exercise his rights and what are the limits of data subject rights.
Also, it is important to understand the possible consequences of abusing these rights.
Anyway, misunderstanding of the rights will probably lead to many-many ugly situations where users unwittingly gave away their information and later were trying to get some justice even though it is their own fault.
Consent is the key concept of GDPR. It means a clear affirmative indication of giving a permission to use one’s personal information for further processing. It is absolutely mandatory for every company. They need to ask the user’s permission to use personal information. Otherwise, they will be unable to operate legally under GDPR.
Now think about how many of various applications you are currently using. Most of them require some form of personal data processing. They use your e-mail, geolocation, IP Address and so on in order to enable their services. All this goodness needs a clear affirmative indication of consent.
Given the fact that there is no chance they will be written in any semblance of Homosapienese language — chances are common user will click it off without giving it much of a thought only later to realize and attempt to backtrack his decision.
In many ways, GDPR means coming of the New World Order regarding the relationship between users and the companies. Since users are in control of their personal data — they are also subjected to informing about what is happening with their data. That, unfortunately, also includes instances when their personal data was breached.
Because of mandatory informing of the data breaches — users need to learn how to react to such situations.
The thing is extremely complicated due to the fact that every instance of a data breach is unique and requires close assessment in order to provide an adequate reaction. Another complication is that every case allows the varying level of user involvement. That is something beyond the user’s or companies control and determined solely by the court.
If there are so many challenges, are there ANY benefits to this data protection regulation?
In many ways, GDPR is a blessing. It is well-intentioned and rather well-mannered (especially if you compare it with DPD which is just sad). There are many benefits of clearly defined rules of engagements for both sides. Its implementation is a chance to improve vital elements of your company and make it overall a much better functioning entity.
GDPR’s biggest achievement is a clarification of the key terms regarding user/company relation in terms of personal data use.
A direct result of this clarification is basic definitions of rights and responsibilities of the involved parties. This gives a proper map of what is permitted and what it is banned. Which in turn provides a set of tools to react in a variety of situations.
The most obvious benefit of GDPR is trust. By implementation of diverse data security practices and appointment of DPO who’s job is to keep data privacy intact — companies can significantly increase their trustworthiness in the eyes of the users.
Alignment with GDPR will serve as a seal of approval for the users that the company services of which they are using will not mess with them by any means.
This, in turn, will increase customer loyalty which will directly result in positive developments of the brand recognition.
Another direct benefit is improvement and refinement of decision-making practices. GDPR adds a couple of new factors for the consideration that significantly changes the perception of the state of things.
To put it simply — the stakes are higher and possible consequences of the failure to comply are severely uninspiring.
Under the weight increased responsibility and imposing punishment GDPR will indirectly lead to more calculated and cautious approach to decision-making.
Risk assessment is probably the biggest winner of GDPR adoption. While it is considered to be a part of the standard operation — chances are it receives less attention and care than it probably deserves.
GDPR shifts the tables in favor of a more thorough and responsible approach to risk assessment. For one simple reason — notion that slight oversight and risk underestimation may result in significant monetary and reputation damages for the company.
GDPR guidelines stress the importance of well organized, impenetrable and highly regulated security framework. While it seems to be an obvious reasonable requirement for any company — the fact the data breaches are commonality these days state the opposite.
However, GDPR provide clear and realistic guidelines how to make security system better and how to maintain it.
A combination of regular system audits, monitoring and cautious employee culture is the key to effective improvement.
Along with the improvement of the practices comes increased alignment with cutting-edge technologies.
Since you never know what kind of unfortunate event can happen to your system — the company will need to constantly evolve their data security stack in order to stay current and prepared for any possible danger.
If anything, that will probably cause rapid development of new technologies.
GDPR is a game-changing document the influence of which is hard to underestimate. To put it simply, it will cause seismic shifts over the world — no less. There is no doubt that in the long term perspective GDPR will cause a drastic transformation in the business landscape of not only the European Union but also the entire world.
The way it reiterates the definition of personal information and rearranged the balance of power in the realm of data processing is nothing short of revolutionary. It is challenging in many ways but as you can see — there are also considerable benefits of GDPR compliance.
* * *
This blog post is a part of the series. Click to read the other chapters: