GDPR: what are organisations doing post-May 25th?
Written by Hannah Riley and Chunky Satija
Due to rapid advances in technology and growing number of internet users, personal data has amassed, requiring new methods for its collection, storage and use. Previously outdated data protection laws such as the EU Data Protection Directive adopted in 1995, have struggled to keep pace with this expansion of data.
In May 2018, these laws were replaced by the General Data Protection Regulation (GDPR) – a legislation now fit for purpose for the digital age, and intended primarily to protect personal data for individuals within both the European Union (EU) and European Economic Area (EEA) (see fig.1). GDPR has become a global concern, with both advanced and emerging markets aiming to conform to these privacy and data protection standards. Companies worldwide who wish to continue offering goods and services to EU residents or aim to strike trade deals with the world’s largest biggest trading bloc will have to also adopt the new European rules.
It has been more than 2 months since GDPR was enforced on May 25th – providing consumers with more data rights than ever before and changing the way companies manage and process personal data. Whilst companies may have viewed the GDPR deadline to be their biggest challenge, (ensuring requirements were adhered to for the enforcement date) arguably, even bigger challenges remain, with companies experiencing an ever increasing risk of non-compliance.
The measures that companies choose to put in place, will be critical to their success in a post-GDPR world. Though many organisations have invested in solutions to combat GDPR challenges pre-emptively or at an early stage, there is still more that organisations could do to not only maintain compliance, but also to benefit from the business value gained through enhanced customer confidence.
Figure 1 – A timeline of key events leading up to GDPR enforcement.
Organisations continue to face barriers to GDPR compliance
The risk of infringement and subsequent penalties is growing ever more likely for organisations who continue to face compliance barriers in a post-GDPR world. Despite significant investment to ensure solutions are in place to adhere to the new data protection laws, companies continue to experience ongoing challenges in the execution of these solutions.
This is particularly due to the breadth of requirements and the strict timeframe associated with their execution. For example:
Processing high volumes of subject data access requests (SARS) within a 30 day period.
Reporting information breaches within 72 hours to regulators.
Ensuring anonymised data is in fact fully anonymised.
Providing evidence of a valid and lawful basis to process personal data.
Inefficient IT systems and data management processes are significantly exacerbating these execution challenges, preventing data from being located quickly due to not knowing precisely where personal data resides.
Similarly, a lack of clarity on GDPR requirements and conflicts with data protection components of other legislation are causing difficulties for organisations. Misinterpretation of the new legislation due to its ambiguous guidelines could expose organisations to risk of non-compliance. An area in most need of clarity is the GDPR data retention policy. This policy allows companies to determine their own retention period for clinical trial data, as long as it can be justified according to certain GDPR requirements. This policy not only leaves room for uncertainty but directly overlaps with ICH Good Clinical Practice (GCP), which allows clinical trial data to be archived for at least 25 years after the end of a clinical trial.
Another critical barrier to GDPR compliance is the management of third party vendors. Organisations are continuing to experience difficulty in mitigating third party risk under GDPR, particularly organisations that are working with large numbers of vendors. Difficulty in monitoring the handling and processing of sensitive data by vendors, means organisations may be liable for their vendors’ data security flaws. Organisations face similar challenges with ensuring data requirements are cascaded down the supply chain effectively, so sub-contractors may comply with the new legislation.
Although significant time to prepare for GDPR was provided, for smaller organisations funding training and awareness programmes has proven difficult. For multinationals too, particularly those headquartered outside Europe, knowledge and awareness gaps of GDPR are a challenge; the scope to raise global awareness and response is significant.
Organisations have a range of measures in place to support GDPR compliance
In order to satisfy GDPR requirements companies have invested in a range of measures (see fig.2). However, while these may lead to a reduced risk of non-compliance, it is the integration of such measures in a holistic approach that will enable organisations to benefit and generate business value.
Organisations have heavily invested in technology, as it plays a significant role in supporting GDPR compliance, primarily through accelerating the speed and efficiency of locating data and processing requests. However, technology alone will not guarantee compliance. Data protection should be built into processes, also known as ‘privacy by design’. While the redesigning of processes and templates have become a common approach for companies, it must work in parallel with technology – this integrated approach will provide greater assurance for GDPR compliance.
Investment in data management technology has also become a popular GDPR strategy for organisations. This has enabled companies to streamline their workflow processes to become more efficient, improve understanding around utilising customer data, particularly when responding to customer requests and above all, help to provide consistent compliance to GDPR guidelines.
Companies have also pursued various structural measures such as, implementing governance frameworks to provide sufficient GDPR oversight. Frequent and open communication between different functions and ensuring assigned roles and responsibilities are in place, are crucial aspects of a stable governance structure.
Ensuring availability of sufficient resources is also essential and has been an early strategy deployed by organisations, particularly so as to respond effectively to large volumes of SARs, as data subjects exercise their new rights. Investing internally in development of training and awareness programmes, particularly in non-EU regions, is crucial to bridge GDPR knowledge gaps.
Equally as important are external investments, such as collaborating with other organisations, specialist lawyers, or consultants. This will facilitate the exchange of knowledge, understanding and awareness of GDPR requirements in order to reach a consensus from business, as they bed down GDPR operations and respond to EU feedback mechanisms.
Figure 2 – An overview of a range of company measures in place to support GDPR compliance.
GDPR can provide a valuable opportunity for organisations worldwide
While GDPR has its challenges, it also presents an opportunity for companies to reposition their relationship with customers: responsible handling of personal data builds trust and confidence. Building this reputation can help organisations set themselves apart and may be achieved through a holistic approach to GDPR while ensuring long-term strategies are in place. In a data-centric world, the importance of personal information will only increase further, especially as other regions enact legislation similar to GDPR. The enforcement of GDPR in Europe is the first critical step towards good corporate citizenship for how companies should value and respect the personal data with which they are entrusted.