GDPR after 14 months: What’s been done and what’s to come?
Author: Roxana Ionescu
1. Full implementation of GDPR rules is not yet completely there, but organizations are working on it
Before May 25, 2018, everybody talked about being compliant on that date. After GDPR application has become a reality on May 25, 2018, organizations stopped focusing on the date itself and started to work on how they can actually apply their newly-adopted GDPR policies and procedures in practice.
This meant moving away from general gap assessments to actual review of each process and activity involving the collection and use of personal data. And, here is the catch: GDPR compliance is a moving target: reassessment is necessary every time a process changes or when the legal framework on which a process relied on changes.
But the starting point is the same: an organization should understand what personal data it uses and why, and under which conditions it can do it. From there, it can put in place the proper information notices, hence ensuring the proper level of transparency. It can also hold its records of processing, determine which processes require more in-depth assessments like legitimate interests or personal data protection assessments. And it can also help organizations more swiftly assess if a data breach (should it occur) involves risks which require the notification of the data protection authority (“DPA”) or the affected individuals.
Awareness is still not what it should be, especially when moving from large organizations to macro and small size enterprises, but GDPR is a “theme” that will not go away. It is, thus, likely that awareness will increase and with it the actual effective protection of personal data GDPR is supposed to bring along.
2. DPA leniency is over… but as an organization, you should not despair
The first fine applied by the Romanian DPA certainly draws attention. This is due to both the amount of the fine – EUR 130,000, and the breach identified – a banking institution not ensuring data protection by design and by default in its online system, as required under Article 25 of GDPR, that lead to systematically disclosing the payer’s personal numeric code and address to the payment recipient.
But all in all, we are still talking about only three fines applied in over one year of GDPR application. Compare this with other numbers: around 400 data breach notifications received, 460 investigations performed ex-officio and 456 investigations performed further to receiving data subjects’ complaints by the DPA in the first year of GDPR. Some would say that these numbers show the DPA’s lack of concrete action. To do so is to ignore all the corrective measures and consultative actions taken by the DPA in the past year. From this perspective, it is clear that the DPA has focused more on encouraging compliance than seeking to apply fines for the sake of it. And this is as it should be.
Still, one cannot ignore the risks involved by non-complying with GDPR and it is clear that fines are now on the table. So what are organizations to do?
3. Adapting processes and IT solutions is still a work in progress…
Companies, especially large ones, can hardly claim that GDPR is a done deal. This is because their processes and IT solutions are constantly changing and with each change, GDPR compliance needs to be reassessed.
But the core of such assessment remains the same: companies need to ensure they understand what and why they want to do with the personal data, whether and under what conditions they can do it, and then explain this to the individuals in question. Companies also need to focus on ensuring that they do not use excessively and not retain it when no longer relevant, hence the intense discussion over data retention periods. They should also be able to protect the data while they retain it. As the latest Romanian DPA enforcement actions pointed out, this does not mean merely adopting technical measures for data security, but also organizational ones. So companies should take a hard look on how they manage user access to personal data, how and when such data may be shared and printed and how all such actions can be documented and ultimately controlled.
4. …but for new processes, the work is already half-way done
The good news is that all this GDPR awareness is gaining momentum within organizations. If before May 25, 2018, personal data protection was a non-topic in many cases, now it has become a mandatory element taken into account when corporate bodies approve new initiatives and activities.
And the industry is coming up to meet this challenge. However, all IT solutions which are already “data protection by design” will not ensure actual GDPR compliance if organizations using them do not give proper attention to how such solutions are implemented. In doing so, they still need to ensure that they do not collect excessive personal data, protect the data while they hold it and put in place proper protocols for updating and deleting the data when no longer necessary.
In conclusion, it would be naive to say that GDPR compliance has taken over Romanian companies at all levels. Nevertheless, with every action, GDPR and personal data protection moves further from an abstract notion and closer to an actual day-to-day reality for organizations.
Parts of the article have been first published in Business Review magazine. The article is available here.
