Data Protection Specialists were the professionals who worked together with the companies in order to obtain and maintain the GDPR compliance. We wanted to know what were, according to their opinion, the biggest challenges that companies faced in the last two years since the GDPR regulation was implemented.
In Bogdan Manolea’s opinion, the biggest challenge for companies was “to understand what they need to do. Starting effectively tomorrow. The companies were waiting for a clear checklist and a fixed price, like a one-time payment. But an answer is depending on the data protection practices, which are different in every company, and on the corelative security measures. Therefore, I believe it’s unprofessional to say you know what has to be done on the first encounter. Because you actually don’t, and you’ll know the answer later on”.
Serban Popa, GDPR consultant at Unity Solutions, notices a “diminished importance in the effort of analysis and consultancy, of mapping intern processes with all the necessary descriptive elements”.
Raluca Puscas, Partner at Filip & Company says: “First of all, everybody is thinking about obtaining the GDPR compliance, which requires a lot of activities, from data mapping, risk analysis, evaluating the impact over data protection, implementing policies and documents, but then, we need to think about maintaining it, which is a continuous process”.
Raluca Puscas adds: “Many times, all these processes imply a change in the organization and also, defining new collaboration flows between departments, involving the DPO. Even after all the policies, procedures and evaluations will be made and all documents will be organized, there will be the challenge of incorporating the privacy requirements within the organizational culture, as in to pay attention to data protection of clients, employees, and all the other subjects.
For Stefan Iancu, GDPR Consultant at iPrivacy, “The principle of accountability, aims, at the end of the day, to ensure a high level of demonstrable responsibility, therefore, on one hand, controllers should aim for the building of a meaningful and sustainable privacy culture, on the other hand, GDPR compliance is always a team effort, so for a start, there are three key factors susceptible to making a GDPR compliance program either successful or a failure:
Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA, makes an interesting point: “Even the employees who went through the GDPR compliance process had to update their knowledge regarding procedures and legislation. I, therefore, believe that one of the biggest challenges for companies is to permanently and continuously monitor the GDPR compliance”.
“Taking into consideration the external and internal efforts made in order to obtain compliance, the necessity of monitoring and updating of processing activities, of the register, the avoidance of security breaches, and the development and use of software like artificial intelligence, I believe the activity in the areas of privacy and data protection will continue at both internal and external level within the companies, by hiring different types of experts”, continues Roxana Mitroi.
In Marius Dumitrescu’s opinion, „The employees represent one of the biggest risks regarding the security of an organization, at least according to State of Cybersecurity 2019 research, made by ISACA”.
According to Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, “The biggest challenge for companies when obtaining and maintaining GDPR compliance is the lack of a responsibility culture within employees regarding data protection. This deficiency can be substantively diminished by assigning training programs regarding data protection and the company’s policies. Making the employees more responsible when it comes to data protection will bring a lot of added value to every company. An employee who is aware and informed is a vigilant employee, acting responsibly; at the same time, the risks of human errors decrease while the work productivity increase. Moreover, the quick identification of any data breach and respecting the incidents ‘response protocol will minimize the company’s loss.”
This article is the third in a four-part series, aiming to show a detailed image of the local GDPR landscape, two years after May 25th, 2018 moment.