Based on the survey of the 1000+ participants from more than a 100 GDPR certification Masterclasses around the world, we can report the following are the key findings. Many companies have rebuilt, rewritten, revamped the entire data protection program, others have spent a lot of money to get GDPR compliance on paper and are now focusing on the enforcement challenges. Many more have concluded that restructuring is needed and are trying to find the resources to achieve the goal, while only a few have just started to get serious about GDPR compliance.
This changing data privacy, Data Protection IT-and Cybersecurity landscape is what the primary concern of the Board of directors and senior management. They have highlighted the need for more reality-based compatibility between laws, privacy programs and specific GRC legislation.
GRC practitioners, on the other hand, are looking for roadmaps and frameworks as a potential solution to the continually evolving compliance landscape. It is, however, the focus on privacy, and GRC risk and the controls that organisations can adopt to manage that risk could help organisations “future proof” their data processing operations and better prepare for the increasingly complicated legal landscape.
The GDPR enforcement calibration in the organisation is a daunting task for most companies. Many companies have just scratched the GDPR surface with guidance provided by external assistance. These companies are now struggling to translate the advice to systems, workflows, processes, products, services and contracts. Unfortunately, the lapse of time will require the guidance to be updated, and these challenges are overwhelming for small companies.
It seems that in most cases some of the GDPR deadlines were met by the companies, the resources and human resources required often proved to be unjustifiable, some of the difficulties addressed by the data Controllers and Processors were related to identifying the GDPR stakeholders and revamping privacy policies, IT governance, transparency and accountability mechanisms. Database, risk registry issues related to the legacy systems with unstructured data, multiple platforms, and streamlining processes with thresholds, roles and responsibilities are some of the principal challenges.
From more than a 100 GDPR certification Masterclasses around the world, the following are the key findings from the survey of the 1000+ participants:
- Individual awareness of privacy rights has improved
The GDPR has succeeded in raising individual data subjects’ rights, awareness and knowledge of data protection privileges. 60% of the global countries are now implementing legislation with GDPR as a model approach to data protection.
- The role and responsibilities of the DPO, Controller and Processor are confusing
Companies are now addressing the structure and the role of DPO, Controller and Processor roles as a top GDPR challenge. The challenges are primarily around the decision-making process, lack of clarity about the tasks, and segregation of duties or a combination of all three opportunities.
- Data subject access requests (DSAR)is often overwhelming
Most organisations have constructed systems or processes to manage DSARs in-house, including manual and individual and cumbersome systems that require discussions to respond to each request.
- New data controller/processor liabilities and Insurance
Article 28 of GDPR places new responsibilities on data processors with data processing agreements.Participants said other insurance options, caps and indemnities are needed to make this process smoother and help processors guard against unforeseen risk.
- Registers of processing activities and data minimisation
Article 30 requires controllers to maintain a record of processing activities, and participants viewed it as a useful exercise that helped companies understand and organise their data processing activities.
- Raising the bar for privacy risks
GDPR’s role in elevating data protection and Article 35’s data protection impact assessments had been embraced globally. To increase their visibility and effectiveness.
- Territorial Applicability unsettled
Some organisations are still unclear on the GDPR’s territorial reach. Some are also confused about how territorial applicability affects the need for or use of data transfer mechanisms.
- One-stop-shop in practice
Language barriers have made the one-stop-shop approach challenging to navigate, and it is difficult for companies to identify leadership in the location of their main establishment.
In the next issue, we will elaborate on most of the above items and provide guidance and solutions to some of the key findings to continue your GDPR journey.