After implementing different GDPR programmes and speaking with colleagues, there is broad recognition that there is still some work to be done to be GDPR compliant. The general consensus appears to be that many organisations continue to struggle with the same kinds of GDPR implementation issues.
As we look ahead to 2019, here are some of the key recurring issues that should remain on your To-Do list. Perhaps you can add more?
- The organisational scope was initially too narrow leading to surprises at a later stage.
- It is difficult to determine a Risk Tolerance level in the absence of a clear Vision or Strategy.
- GDPR implementation was planned as a project rather than a programme.
- Run via either Legal, IT or Marketing but not transversally.
- DPO role or Data Protection responsible was allocated, however the actual content also involves non-DPO related activities.
- Related GDPR Risks often not taken up by Corporate Risk Management.
- Without Data Governance in place, it is difficult to understand what personal data means to the entire organisation, what the risks are and what to update/change/deliver/delete upon a data subject request.
- It is not always clear who should take up the new activities such as DPIAs, DSRs, Consent, documenting the register etc.
Awareness and Communications
- Extensive media exposure of GDPR lead to many misunderstandings, stress and confusion.
- General interest and engagement within companies was high as a result of the heightened public awareness.
- GDPR fatigue and “GDPR is over, let’s get on with our business” are often heard in organizations. It’s hard to keep employees engaged!
Legal and Data Transfer
- Technical and Organisational Measures were a step too far for many of the smaller processors.
- Difficult to get all Data Processor Agreements across the line. Choices were made which lead to a mix of compliant and non-compliant processor arrangements.
- Binding Corporate Rules seem a good solution in the correct contexts, however the effort involved is significantly underestimated here.
Data Protection Technology
- The market is now flooded with different types of solutions, however it is difficult to match vendor offerings with customer requirements.
- MS Excel seems to lead the way for most as a temporary solution which can quickly develop into a medium/long terms solution if efforts are not made to find an alternative.
- Many organisations can re-use existing technologies to cope with GDPR requirements – but haven’t done the mapping yet.
Data Protection by Design and Default
- If a Data Protection Impact Assessment is new for a company, then developing a Data Protection by Design & Default MIND-SET remains a challenge for most organisations.
- Principles are difficult to implement in a cost-effective manner for legacy applications.
- Implementing DPbD in an isolated manner is to be avoided.
Consent and Legal Ground
- The requirements seem understood in the marketplace, however most organisations are still searching for the value proposition.
- Websites may be compliant today but without some form of automated discovery, it will be difficult to stay compliant going forward.
- In an Omni channel environment, it is difficult to get all consents synchronised and aligned with a unique identifier. If you are busy with solving this challenge, think also of building the Citizen/Customer 360° profile.
- Offering Consent and Opt out to employees still has to be to be addressed by many organisations.
- The Data Protection policy (not the Statement) is often not reflective of reality.
- While many Privacy Statements tend to meet GDPR principles, others tend to stay on the edge. It is especially interesting to read the privacy statements of companies openly pursuing the ethical approach and their level of transparency.
Register for Processing Activities
- This can be a catalyst for doing things the right way. If developed well, this is where Legal, Business, IT and Information Security can converge. (Traditionally it is difficult to get these silo’s all around the table at the same time).
- How many companies actually have their processes defined and up-to-date?
- Granularity of the processes is varied.
Data Subject Access Requests
- The mother of all headaches, ”how to delete” remains a challenge.
- Enforcement of retention periods remains work in progress./li>
- When requested, how do we know that we have provided all the relevant data to the Data Subject?
- Do we really need to give everything e.g.: to Ex-Employees?
- Implement an Incident management process which integrates the data breach procedure.
- How ready is the organisational for a major data breach?
- What do we need to report to the Authorities and when?
- Did we test simulate a serious breach and did we learn from the results?
- How do we know if we are compliant and would a Data Protection Audit assist?
- What are the KPI’s for a well-run Data Protection programme?
These are just some of the common challenges that we notice on a daily basis. Perhaps you have others to add? Thanks for reading and your feedback!