Preparing for the EU General Data Protection Regulation (GDPR) takes a lot of time and effort. Organisations will need a team dedicated to implementing the GDPR’s requirements, but compliance isn’t just the domain of specialists. Anyone who handles EU residents’ personal data needs to be made aware of the Regulation and how to meet its requirements.
The process will throw up hundreds of obstacles on the way, from deciding which lawful ground to use when collecting data to who to appoint as the data protection officer. Our blog provides advice on various aspects of the GDPR; here we outline five compliance challenges that organisations face.
Managing budget restraints
Organisations need to spend time and money updating their policies and processes, and teaching staff about these changes. Our GDPR Report found that more than half of respondents had allocated less than £5,000 (about $9,0000 AUD) to GDPR compliance.
By comparison, organisations typically spend between $9,000 AUD and $36,000 AUD on ISO 27001 compliance. This suggests that organisations’ GDPR budgets are too ambitious, leaving compliance practitioners with a lot of work to do and not much money to do it with.
Putting the required processes in place
Many cyber security mistakes are the result of employee negligence, so the GDPR stresses the importance of developing processes and polices for everyone in the organisation to follow. Law firm Stibbe explains that structured processes “formalize certain subject areas like risk assessment and decision making”, enabling organisations to “work more efficiently and achieve compliance with the privacy rules”.
Organisations need to document the steps they take towards cyber security. In the event of a regulatory investigation, documentation will be used to determine whether the organisation’s processes meet the GDPR’s compliance requirements.
Documentation is also essential in cases where individuals object to data processing. Organisations are required to state which lawful ground they used when collecting the data, and in some instances the lawful ground will invalidate the individual’s objection.
Coordinating compliance across the organisation
Some compliance requirements will affect the whole organisation whereas others will only apply to certain departments. Senior staff in each department need to know the necessary steps to take, and the employees within those departments need to be aware of the changes.
Negotiating a ‘moving target’
No one is quite sure how the GDPR will be enforced. Different national regulators will interpret phrases such as “undue delay” and “likely to result in high risk to the rights and freedoms of natural persons” differently, making it hard for organisations to prepare for the Regulation.
However, this isn’t an excuse to adopt a ‘wait-and-see’ approach to compliance. The Regulation will be enforced – often strictly – and even though there may be differences in interpretation initially, regulators will be much more lenient on organisations that attempt to meet the requirements compared to those that make no effort.
Need help complying with the GDPR?
The problems outlined here are the sort of issues our GDPR consultants can help you address.
Our experts will help you with data flow audits and GDPR gap analyses, which assess your current level of compliance and identify the issues you’ve not yet resolved. We also provide GDPR transition services for those who need more thorough help. These consist of integrated activities to help you develop and implement a data protection framework in line with the Regulation’s requirements.