GDPR At 2: What Are The Challenges?

A GDPR like legislation that has been in effect for only 2 years, it is likely that there are challenges and open questions that remain. Let us look into some of the challenges that continually pose a question to business and privacy leaders:

• Framework Approach Requires Interpretation - The GDPR is framework legislation that is it provides principles around which processing of personal data is to be based. This is very annoying for people who want binary inputs or clear certain responses to what is to be done. This is especially true for questions like "can we soft delete data", "what is the basis for marketing", etc. The law requires interpretation and interpretation requires a deep understanding of the law. This is a big challenge because not everyone understands that law so deeply and even those who understand tend to differ in their opinions on various key matters. Certainly, this remains a huge challenge for both business leaders (in terms of what to do) and privacy leaders (in terms of what to recommend).
• Multiple Guidance From Authorities - In a law that requires interpretation, guidance from authorities is welcome but multiple guidance on the same topic does not help. Instead, having multiple guidance accentuate the challenge and make the interpretation challenge even more complex than it is without guidance. Let us take the latest example of a pandemic, guidance on what is legitimate and permitted would have helped immensely but now we have guidance on COVID-19 related processing from each authority in each member state, and even from European Data Protection Board. For a company operating in multiple countries, how does one work?
• Same Activity Multiple Legitimate Bases - The freedom to make our own interpretations has meant that personal data processing for an activity like marketing is being done under a different legitimate basis. Some companies are processing it under legitimate interest while some are asking for consent. As per law, both are permissible but how will the authorities view this when an individual complains to an authority. This will remain an open question for sometime before consensus and clarity emerge.
• The DPO role - The role of a Data Protection Officer (DPO) is essential in ensuring that the organization organizes privacy governance and compliance in a structured manner. However, the breadth of the DPO role has meant that it has been challenging for most DPOs to find ways and means to ensure correct implementation of policies and procedures across business functions. A study by CPO magazine indicates that at least 28% of companies with over 1000 employees face this challenge.
• Artificial Intelligence - Some say "Technology leads and laws follow". This seems to be holding true in the case of AI, Robotics, and Innovation wherein it is believed that possibilities are enormous but clarity from the law is limited. The supporters of the law say that GDPR has provisions and principles that guide what can be done and how when it comes to new emerging technologies but there are more open questions than there are answers.
• Small Companies - While large companies have used their means to set up and define privacy departments, or hired consultancy firms to take action towards compliance with GDPR, the smaller companies have still been at crossroads on what to do. Even, if to take action or not. Access to good privacy professionals remains a challenge and it has meant that smaller companies have not yet taken enough steps to comply with privacy laws. I looked through the websites of about 150 marketing and advertising small companies (with staff less than 200 people) and find that at least 30 % do not have a privacy statement or privacy statement is not compliant with the law. Similarly, a study by CPO magazine states that at least 29% of companies with staff less than 1000 find it a challenge to find the right resources.
• Practical Issues - In spite of guidance and GDPR being in force for two years, it is still challenging for most companies to find answers to most simple questions like When to report a data breach? Or, what data to share in case of a Data Subject Access Request. There are many practical issues like this and these will be solved as companies gain maturity and experience in dealing with situations.

I understand that I have not touched upon all the challenges but focussed on a handful of few. My idea is to touch on the key challenges and acknowledge that there are both sides of the coin. While there are positives, there remain challenges.

Now that I have shared my views on the key challenges, I encourage you to share what you consider as challenges from GDPR being in effect in the last two years. And, please do like, comment, and share what you think. Your inputs are appreciated and read carefully.

Note:

As I shared in my article "GDPR At 2: How To Look At Two Years Of The GDPR Regime?", this article is part of a series of articles on GDPR at 2. In the next article, I will explore what are the enforcement actions with regard to GDPR and why.

Punit Bhatia is a privacy consultant who is an author of multiple books on GDPR, privacy and sourcing speaker at global events, advisor on privacy matters, and the host of The FIT4PRIVACY Podcast. Punit helps business and privacy leaders in identifying the strategic priorities for privacy compliance and managing the execution in a simple and structured manner. Punit is known to use simple business language while avoiding legal jargon. Punit is a certified Fellow in Information Privacy (FIP), CIPM, CIPP-E, and COP.

Follow YouTube, Facebook, Twitter, Instagram, Podcast, iTunes, Spotify

Did You Know? Punit's book "Be Ready For GDPR" is ranked as #1 and the book "Intro to GDPR" is ranked as #9 in the list "25 Best GDPR eBooks of All Time" published by BookAuthority.com.

The FIT4PRIVACY Podcast - A Podcast For Those Who Care About Privacy is available on iTunes, Spotify, and Stitcher.