On May 25th 2018 the EU General Data Protection Regulation (GDPR) came into effect. Months before and even months after, companies were rushing to implement and comply with GDPR. During this race we, the so called data subject, were flooded with emails to request our consent for marketing purposes amongst many other. This felt like the opportunity to get rid of all of the unsolicited commercial « spam ». But did this actually work?
From personal experience we don’t really see the difference. Although within all commercial messages you get the opportunity to unsubscribe, often the messages still keep on coming. But that doesn’t mean GDPR has made no impact. Most companies did indeed clean up their act and are now only marketing to you if you have actually provided consent. Furthermore, formal data processing agreements have been put in place between companies and their suppliers/vendors, in many cases even when this was not necessary.
One year has passed since the compliance deadline so one may think that now all organisations have this under control, right? Wrong. The struggle is real and if you’re still having difficulties, don’t panic, you’re not alone.
Following are the common issues that we have seen companies struggle with:
1. Data subject rights
When it comes to the rights of the data subject Articles 12 to 22, the regulation is quite clear on the how, what and when. But, we see that the implementation isn’t as straight forward. Companies still have many outstanding questions even though Article 29 Working Party and the European Data Protection Board (EDPB) did release numerous guidelines. Some examples of such key outstanding questions are:
Some examples of such key outstanding questions are:
- How much data should be provided in case of an access request?
- When does the effort to provide all data become out of proportion in relation to the request?
- How to handle recurring request of harassing data subjects?
- How to best implement data portability?
- Can I keep a record of data deletion?
2. Data Protection Impact Assessment
Article 35 paragraph 1 says : “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and the purpose of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of impact of the envisaged processing operations on the protection of personal data…”.
Although the article is quite clear, companies struggle in the practical implementation of such a Data Protection Impact Assessment (DPIA). When is processing considered to be high risk for the rights and freedoms of natural persons? To answer this question, we can look at Article 29 Working Party which provides some guidance on when to perform a DPIA. However, how to practically perform such an assessment is less clear. Some Data Protection Authorities (DPA) have noticed this need and have developed tools and templates to support this exercise. For instance the CNIL has developed a DPIA software tool to support companies in such assessments, the ICO provides some checklists and of course some 3rd party vendors also provide tools in support of such assessments.
3. Data breach reporting
Most companies have assigned and registered a Data Protection Officer (DPO) with data protection authority. And statistics show that since GDPR came into effect the amount of data breaches reported to the DPAs have significantly increased.
The numbers published by the European commission show 41 502 data breaches reported and 95 108 complaints from May 2018 until Jan 2019.
However, what the figures don’t show is the fact that companies are struggling to assess the actual impact of a data breach and when to report it to the DPA and/or the impacted data subjects. Some DPAs have provided some guidance on how to perform the impact assessment but lack a calculation model to support the impact assessment. Fortunately, ENISA has developed a data breach severity methodology already published in 2013 which is easily translatable into data breach impact assessment tool. Based on a scoring between 0 and 5 it can provide the necessary support to accurately report data breaches to both the DPA and the impacted data subjects.
4. When am I GDPR compliant?
This is the main question that still remains unanswered today. Most companies have done all / maximum they could do to be GDPR compliant. However, until today no certification bodies as described under Article 43 have been created. So, what can companies do in order to reassure themselves that they are as compliant as possible? They can use ISO27001 or use internal control frameworks that have been developed by some DPAs like the CNIL control framework and NOREA’s Privacy control framework.
After 1 year of GDPR coming in affect, its practical implementation is where companies are still looking for guidelines and best practices. In general, GDPR remains a subjective regulation where you can interpret a huge amount of the articles in various ways. When it comes down to it, GDPR implies being pragmatic in how you manage personal data and its respective lifecycle. Acting in good faith is key to the regulator. If you can provide an action plan or a concrete rationale on why you took certain decisions with regards to personal data, you will clearly show maturity when it comes to GDPR. A close collaboration between Legal, Compliance and other departments is key in solving this puzzle.
Above mentioned are some struggles that we’ve encountered ourselves. We’ve been supporting many organisations in their journey to become GDPR compliant. Do you feel like you also need some guidance or just a chat? Don’t hesitate to contact us or go to our website and discover our other specialisations.