Data Protection Specialists were the professionals who worked together with the companies in order to obtain and maintain the GDPR compliance. We wanted to know what were, according to their opinion, the biggest challenges that companies faced in the last two years since the GDPR regulation was implemented.

In Bogdan Manolea’s opinion, the biggest challenge for companies was “to understand what they need to do. Starting effectively tomorrow. The companies were waiting for a clear checklist and a fixed price, like a one-time payment. But an answer is depending on the data protection practices, which are different in every company, and on the corelative security measures. Therefore, I believe it’s unprofessional to say you know what has to be done on the first encounter. Because you actually don’t, and you’ll know the answer later on”.

Serban Popa, GDPR consultant at Unity Solutions, notices a “diminished importance in the effort of analysis and consultancy, of mapping intern processes with all the necessary descriptive elements”.

Raluca Puscas, Partner at Filip & Company says: “First of all, everybody is thinking about obtaining the GDPR compliance, which requires a lot of activities, from data mapping, risk analysis, evaluating the impact over data protection, implementing policies and documents, but then, we need to think about maintaining it, which is a continuous process”.

Raluca Puscas adds: “Many times, all these processes imply a change in the organization and also, defining new collaboration flows between departments, involving the DPO. Even after all the policies, procedures and evaluations will be made and all documents will be organized, there will be the challenge of incorporating the privacy requirements within the organizational culture, as in to pay attention to data protection of clients, employees, and all the other subjects.

For Stefan Iancu, GDPR Consultant at iPrivacy, “The principle of accountability, aims, at the end of the day, to ensure a high level of demonstrable responsibility, therefore, on one hand, controllers should aim for the building of a meaningful and sustainable privacy culture, on the other hand,  GDPR compliance is always a team effort, so for a start, there are three key factors susceptible to making a GDPR compliance program either successful or a failure:

  • The right selection and appointment of the DPO, in accordance with the GDPR, observing specific provisions and considering as equally important, the adequate expertise, independency, avoidance of the conflict of interests, timely involvement of the DPO in every aspect regarding data protection, access to the highest level;
  • Thorough assessments of the privacy impact and associated risks, starting with the tone from the top, in a demonstrable leadership and commitment, which is meant to ensure the involvement and input from all relevant stakeholders within the organization, as well as proper allocation of necessary resources, and last but not least
  • Effective and regular training for employees and clear internal and external communication”.  

Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA, makes an interesting point: “Even the employees who went through the GDPR compliance process had to update their knowledge regarding procedures and legislation. I, therefore, believe that one of the biggest challenges for companies is to permanently and continuously monitor the GDPR compliance”.

“Taking into consideration the external and internal efforts made in order to obtain compliance, the necessity of monitoring and updating of processing activities, of the register, the avoidance of security breaches, and the development and use of software like artificial intelligence, I believe the activity in the areas of privacy and data protection  will continue at both internal and external level within the companies, by hiring different types of experts”, continues Roxana Mitroi.

In Marius Dumitrescu’s opinion, „The employees represent one of the biggest risks regarding the security of an organization, at least according to State of Cybersecurity 2019 research, made by ISACA”.

According to Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, “The biggest challenge for companies when obtaining and maintaining GDPR compliance is the lack of a responsibility culture within employees regarding data protection. This deficiency can be substantively diminished by assigning training programs regarding data protection and the company’s policies. Making the employees more responsible when it comes to data protection will bring a lot of added value to every company. An employee who is aware and informed is a vigilant employee, acting responsibly; at the same time, the risks of human errors decrease while the work productivity increase. Moreover, the quick identification of any data breach and respecting the incidents ‘response protocol will minimize the company’s loss.”

This article is the third in a four-part series, aiming to show a detailed image of the local GDPR landscape, two years after May 25th, 2018 moment.

Related articles:

Photo: “cairn stone in Skogafoss Falls, Iceland”, Courtesy of Martin Sanchez,