10 GDPR Implementation Pitfalls to Avoid
The new General Data Protection Regulation went into effect on May 25, 2018, and promises to be a game-changer for organizations that conduct business in the European Union. GDPR requires companies to reevaluate their policies and procedures regarding the handling of personal data. Noncompliance with GDPR can result in actions ranging from written warnings to financial penalties of as much as $25 million or up to four percent of annual global revenues.
As with the implementation of any broad-ranging regulation that impacts an organization’s operating practices, GDPR compliance can pose a significant challenge. A defense of ignorance won’t carry much weight with the supervisory authority (SA), the independent body charged with GDPR investigation and enforcement in each member nation.
The following list includes 10 pitfalls that can prevent you from achieving full GDPR compliance:
- Failure to engage the entire organization: A common mistake is viewing GDPR as only an IT issue since it pertains to data privacy. In fact, the regulation touches any area of the organization that handles personal data, as well as third-party representatives. Consequently, full GDPR compliance demands a holistic approach that encompasses and engages everyone from C-suite executives and mid-level managers to rank-and-file employees and vendors.
- Failure to build a GDPR team: A lack of adequate GDPR expertise can quickly put your organization on a path to noncompliance. Establishing an in-house GDPR team is a critical step for ensuring thorough preparation and maintaining compliance after implementation. Your team should consist of a designated data protection officer (DPO) and leaders from other departments such as IT and human resources.
- Failure to understand how data moves across and beyond your organization: The modern organization consists of multiple data flows and sources. Effective GDPR implementation requires a comprehensive understanding of all business processes – you need to know how data is collected, where it is stored and who has access to it in every business area.
- Failure to recognize shadow systems: The term “shadow system” refers to any information service used in your business processes that are not under the jurisdiction of your IT department. Examples include unauthorized cloud services and software packages. Ensuring GDPR compliance requires taking an inventory of each business area to identify, review, and if necessary, delete these systems. This will also help you to verify that you are covering all the data addressed by the regulation.
- Failure to comply with the purpose limitation concept: GDPR stipulates that personal data must be processed for a specific reason. You must be able to document that you have used the data only for its intended purpose throughout the data chain, from initial collection through final implementation.
- Failure to verify consent: When one considers all the methods available for collecting data these days – websites, credit card purchases, surveys, etc. it is easy to overlook a source. If you are unable to substantiate that an individual or entity consented to the collection of their personal data, you likely have committed a GDPR violation.
- Failure to delete data completely: GDPR sets forth more stringent requirements for the deletion of personal data when requested by a consumer. While traditional data management practices allowed for the archiving of data, GDPR takes it a step further by mandating the permanent deletion of all records and files associated with the individual. For many organizations, their GDPR preparation process will include retrieving previously archived files and expunging the information.
- Failure to implement sufficient data access control measures: Keeping a tight rein on the parties that have access to personal data will be more important than ever with GDPR going into effect, especially when one considers that organizations will now only have 72 hours to respond to a breach. Now is the time to review your policies and procedures regarding who can access data, along with your permission granting protocols, encryption methods, etc.
- Failure to update privacy notices: Under GDPR, many data privacy and security steps that were previously considered best practices will now become mandatory measures. Instead of only notifying the customer about the intended use of their personal data, it will be necessary to provide further information such as the lawful basis of processing the data, the retention period and the customer’s right to file a complaint if they believe the organization is misusing their info. You will likely need to update your privacy notices to include these details.
- Failure to fulfill requests for data: Once GDPR goes into effect, customers will have more robust rights regarding the obtaining of copies of their personal information that organizations have on file. It is essential to have a system in place to ensure a timely response to these requests, especially if there is a heavy demand for the information.
Mitigating Your GDPR Compliance Risk
While each organization will face unique GDPR compliance challenges based on the nature and scope of their operations and their current level of GDPR readiness, there are three steps that virtually every business should implement to reduce their exposure to risk:
- Investing in training: GDPR will represent a significant change for many organizations; adhering to outdated operating practices will no longer suffice. It is imperative to provide GDPR-specific data protection and privacy training for all employees who handle personal information.
- Investing in technology: Upgrades in technology, specifically the use of automated data management practices and software, can reduce the likelihood of human error and increase efficiency.
- Investing in breach response plan development: A well-crafted data breach response plan is critical for ensuring GDPR compliance and avoiding costly penalties. Make sure your plan will allow you to react in a timely and sufficient manner.
While many organizations view GDPR compliance as a burden, a more productive approach is to see it as an opportunity to dramatically improve your data privacy maintenance practices, which can transform the way your customers perceive your organization.