2 years of GDPR: The most important lesson that companies and data protection specialists learned

The two years that passed since the implementation of GDPR haven’t represented only a time of challenge, but also, an opportunity to learn valuable lessons. Six data protection specialists mentioned the most important ones.

“Those companies willing to be GDPR compliant and which really care about clients or users personal data learned that this a longer and more difficult process, especially if their business is in an area where a certain degree of flexibility is required”, says Bogdan Manolea, legal expert.

As far as he is concerned, Serban Popa, GDPR consultant at Unity Solutions, notices that: “No one is mature in this professional area; we need to analyze according to every particular situation and to adapt according to the perceived risk and the cost of investment, but bearing in mind that data subject’s protection comes first. Moreover, looking back (even within the list of ANSPDCP fines), we are emphasizing the need for continuous training, art. 30 registry documentation with appropriate technical and organizational measures in-place as well as proper policies for answering to Data Subject Request and proper reaction on Data Breach incidents.”.  

According to Raluca Puscas, Partner at Filip & Company, “GDPR educated consumers, therefore, people are more careful about the way companies process their data. Fines also played an important role and there is a continuous learning process based on the new cases and the authorities’ reaction within the European Union. We can expect privacy issues to be more deeply analyzed by consumers when they install different apps on their mobile phones or when they use various digital products, to the point when GDPR compliance could even turn into a business differentiator for companies”.

“Other learning lessons can be extracted if we analyze the reasons for which both Romanian and European authorities applied fines so far; among them, the lack of adequate technical and organizational measures to ensure personal data security, lack of legal basis for data processing or issues in observing the data subjects rights being the usual suspects” adds Raluca Puscas.

For Stefan Iancu, GDPR Consultant at iPrivacy, “The most important lesson learned is that compliance main purpose is to protect the data subjects rights; it’s not about formalities, procedures and documents (that’s only half of it) it’s a team effort and the responsibility belongs to each and every member of the organization and also, data protection has to become as soon as possible an important part of organizational culture within each and every company. This should start with the tone from the top, that defines management leadership and commitment to personal data protection and trickles down into every level within the organization”.

Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA says that “Probably one of the most important lessons that all plyers learned was that every situation has it is own characteristics and must be carefully treated. Documents with general applicability cannot refer to features particular to every area and also, cannot protect the business, therefore, we always recommend a specific analysis of the company’s activity, mapping the data and processes flows, identifying the existing gaps, followed by writing the necessary policies and documents and by implementing them.  Our recommendation is to treat the processing activities in a distinct way and to particularly analyze the compliance degree of every entity within the process”.

Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, notices that „In the last months, since the COVID-19 pandemic, people talked about GDPR more than in the whole period since the GDPR regulation was implemented and it’s sad that in this coronavirus context GDPR got the attention it deserved”.

The specialist says that even the DPO seems to be caught between the legal obligations imposed by the low, who can limit the people’s rights and the GDPR principles, „there are ways to ensure a balance between all the regulations:

1. Involve the DPO. He is the expert who can guide the organization in complying to GDPR and keeping the balance with legal obligations and commercial interests
2. Respect the seven fundamental principles of GDPR. These principles must be implemented within every procedure, like filters that need to be applied before releasing any kind of document or policy
3. Keep the data subjects informed. It’s easy to invest in this proactive information which could have as a result the data subjects’ implication, as all of these restrictive procedures are in their best interest, to protect their personal data
4. Training and adequate guarantees. We must be careful when the personal data of our employees, our clients or our visitors are processed by third parties which act as operators and we need to make sure that technical and organizational measures of data security and protection are implemented during the whole processing process
5. Evaluate the level of data processing and identify less intrusive methods to process personal data, without increasing the bureaucracy level”

Marius Dumitrescu concludes that all these measures shouldn’t be applied only during the pandemic, as these five recommendations are applicable to any organization which has a goal for the next year to adapt the organizational culture and to adhere to GDPR principles.

Related articles:

• 2 years of GDPR: What was the biggest challenge for companies
• 2 years of GDPR: Which was the biggest challenge for data protection specialists?
• 2 years of GDPR: What have we learned?

Image by Harish Sharma from Pixabay