The two years that passed since the implementation of GDPR haven’t represented only a time of challenge, but also, an opportunity to learn valuable lessons. Six data protection specialists mentioned the most important ones.
“Those companies willing to be GDPR compliant and which really care about clients or users personal data learned that this a longer and more difficult process, especially if their business is in an area where a certain degree of flexibility is required”, says Bogdan Manolea, legal expert.
As far as he is concerned, Serban Popa, GDPR consultant at Unity Solutions, notices that: “No one is mature in this professional area; we need to analyze according to every particular situation and to adapt according to the perceived risk and the cost of investment, but bearing in mind that data subject’s protection comes first. Moreover, looking back (even within the list of ANSPDCP fines), we are emphasizing the need for continuous training, art. 30 registry documentation with appropriate technical and organizational measures in-place as well as proper policies for answering to Data Subject Request and proper reaction on Data Breach incidents.”.
According to Raluca Puscas, Partner at Filip & Company, “GDPR educated consumers, therefore, people are more careful about the way companies process their data. Fines also played an important role and there is a continuous learning process based on the new cases and the authorities’ reaction within the European Union. We can expect privacy issues to be more deeply analyzed by consumers when they install different apps on their mobile phones or when they use various digital products, to the point when GDPR compliance could even turn into a business differentiator for companies”.
“Other learning lessons can be extracted if we analyze the reasons for which both Romanian and European authorities applied fines so far; among them, the lack of adequate technical and organizational measures to ensure personal data security, lack of legal basis for data processing or issues in observing the data subjects rights being the usual suspects” adds Raluca Puscas.
For Stefan Iancu, GDPR Consultant at iPrivacy, “The most important lesson learned is that compliance main purpose is to protect the data subjects rights; it’s not about formalities, procedures and documents (that’s only half of it) it’s a team effort and the responsibility belongs to each and every member of the organization and also, data protection has to become as soon as possible an important part of organizational culture within each and every company. This should start with the tone from the top, that defines management leadership and commitment to personal data protection and trickles down into every level within the organization”.
Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA says that “Probably one of the most important lessons that all plyers learned was that every situation has it is own characteristics and must be carefully treated. Documents with general applicability cannot refer to features particular to every area and also, cannot protect the business, therefore, we always recommend a specific analysis of the company’s activity, mapping the data and processes flows, identifying the existing gaps, followed by writing the necessary policies and documents and by implementing them. Our recommendation is to treat the processing activities in a distinct way and to particularly analyze the compliance degree of every entity within the process”.
Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, notices that „In the last months, since the COVID-19 pandemic, people talked about GDPR more than in the whole period since the GDPR regulation was implemented and it’s sad that in this coronavirus context GDPR got the attention it deserved”.
The specialist says that even the DPO seems to be caught between the legal obligations imposed by the low, who can limit the people’s rights and the GDPR principles, „there are ways to ensure a balance between all the regulations:
Marius Dumitrescu concludes that all these measures shouldn’t be applied only during the pandemic, as these five recommendations are applicable to any organization which has a goal for the next year to adapt the organizational culture and to adhere to GDPR principles.
Related articles:
Image by Harish Sharma from Pixabay