As the GDPR trigger deadline is almost at its verge, insane preparations by companies are just coming to an end. Seeing the large number of data breaches, EU took a step forward to make user privacy the topmost priority for organizations.
This new framework for Data Security & Protection has amplified various compulsions for Organizations. Although several companies have already complied with GDPR, still there are some companies who are struggling to make this regulation geared.
GDPR implementation is not a matter of a day or a month. But in its wake companies have to revise their whole internal policies, procedures and processes to meet the requirement of GDPR Compliance.
Read our previous articles to get a complete picture about GDPR, its Impact and what businesses are undertaking to fulfil the demand of GDPR Compliance.
Here’s listing all the major challenges GDPR bring with itself!
May 25 is just a starting point. The language used in GDPR is quite vague, which is creating problems for companies to understand the processes. According to reports only 25% of businesses have a serious idea about this regulation. In addition, the major concern is the cost to reach it- The endless number of change & updates in internal policies requires huge investment and effort.
Also, these norms and regulations are new so it might take some time for companies to adapt to new changes. But organized solutions will certainly help them adjust better than those who’ll try to adapt later.
A Huge Challenge for Small Businesses
From large scale organizations to midsize businesses to small scale companies, all have sensitive data which they need to be protect. While to get compiled under GDPR, major issues small companies has to face are:
- High Investment could bring high-tech security programs
- Appointment of DPO (Data Protection Officer) for the same.
- Training employees to report within 72 hours in case of data breach.
- Maintaining quality control with supply chain- Validating that all the suppliers and contractors indulged with your business should be GDPR Compliant.
- Prepare for data portability- In case a customer asks for a copy of their data.
- Appointing members who are solely responsible for accessing Data Subject Requests.
Small scale companies have less resources to handle these challenges and less margin in case any error occurs (which is quite usual to happen)
Regular Data Subject Requests
This is the biggest change and challenge for Organization. They have to deal with all the data subject requests promptly. As GDPR offer rights to individuals and users:
– to ask about what data the company stores
– how their data is being used
– what type of personal data is concerned
– purpose of processing their sensitive piece of information
– get their data deleted anytime they want, and
– lodge a complaint with the supervisory authority
It’s kind of obvious that inquires will turn up on daily basis. Since any company cannot violate this right of users, so they must set up processes that alert necessary team members every time a Data Subject Requests arrive. The information given should be transparent, fair and concise to users. Organizations cannot use any more complicated language to mislead and confuse consumers.
DPO is Obligatory
With the aim of Data Protection Harmonization across EU nations, appointing Data Protection Officer (DPO) can be seen as a great GDPR impact on businesses. According to Article 37 of GDPR, fixing a DPO for every public authority where constant monitoring and processing of data is subjected is made mandatory.
GDPR brings new job opportunity. DPO is the one who must have expert knowledge about data protection laws. GDPR has not clearly expressed about the level of expertise a DPO should carry, but basically in accordance with the complexity of processing of data comes the more proficiency a DPO should have.
A DPO should carry out duties and responsibilities like:
- Manage internal data protection affairs
- Look after individual’s rights and consent
- Monitoring Compliance and other protection laws
- Training staff about the importance of compliance requirements
- Working hand-in-hand with controllers and processors
Rise in Data Hacks
As organizations are trying to comply with the new data protection regulation, at the same time reports are approaching that cybercriminals are extorting firms for ransom slightly less than GDPR Penalty for the organizations who haven’t already complied. With more people getting indulged in online world, more the chance has become that they might get infect with increased ransomware, BEC (Business Email Compromise) extortion attacks and cryptocurrency mining.
Though this regulation will help to make all our data safer, still hackers are going to hack.
So, there’s a need to adopt cross-generational security methods which will help to mitigate the risk of data hacks.
Burden on Official Entities
The key players involved here are Controllers and Processors.
Controllers are the one who are responsible to answer the question “What”, “Why” and “How” the processing of personal data of individuals are taking place. It can be any entity, public authority, person or any organization or agency.
The main role of controller is to keep a picture clear about data usage of an individual & in case any consent arises from user (which is not handled appropriately) the company will be subjected to pay fines (as per GDPR).
Processors are ones who process personal information of users. In GDPR terms, a processor is a legal person or agency who processes data on the behalf of controllers. In simple words, a controller is someone who decides or take decision about processing activities and Processor carry out those operation.
Controller is the one who select processors to carry out further treatment- so it becomes equal burden on both to execute data accurately and in right direction. Also, it’s a responsibility of Processor to erase the data once the processing is accomplished.
Major Threat to Marketers
Marketers are largely or wholly reliant on data of consumers. According to sources, only 20% of users have a belief that even after this Data Protection Regulation will come in enforcement the companies will not be able to use, manage & protect their data strictly.
From taking data permission to data access, marketers it becomes a responsibility to take care about the fact that user can easily access data which is being used or sold to third party for generating profits. As marketers is becomes quintessential to understand what amount of data you are collecting and ask yourself if you actually need a marital information or favorite cuisine preference before they agree to connect with your page.
Few areas where GDPR will affect your marketing activities:
- Website Cookies- Collecting visitor’s search pattern for your benefit will not be accepted anymore! Now marketers need to take consent for cookies on your site that should be transparent and unambiguous. Also, you must give them a separate way through which they can withdraw their consent if they want.
- Major impact on Customer Data Management- Marketers have to reconsider what kind of data they store, how they store, how they process it, to whom they share & transfer, and finally how it is accessed.
- Influence on E-mail Marketing- Marketers have to hold a clear documentation about their users that have consented to receive emails from you with information that how you are going to market it. In case you are getting users list from any third party you have to make sure they are having the similar document with them.
Consequences for GDPR Violation
Since, this regulation will impact each organization no matter where it resides, in case your company has not taken any measure to get compiled. GDPR impact on businesses is quite steep as the penalty structure is divided into two tiers depending on the nature of violation.
- The Higher Fine Threshold adheres when the organization has violated:
– Individual Rights
– Consent of a user
– Data Transfers
– Processing of data (when it was limited for a definite time)
If these articles are profaned then a fine of 4% of Company’s turnover or up to €20 million- whichever be higher, will be charged.
- The Lower Fine Threshold are imposed on Controllers, Processors and other surveillance bodies. In case:
– If any children’s personal data is acquired & processed without consent
– If supervisory authorities are not notified within 72 hour of data breach
– If users or customers whose data is being leaked are notified within the given time frame and,
– Other obligations on surveillance bodies, DPO (Data Protection Officer) and certification bodies etc.
If these articles are profaned then a fine of 2% of Company’s turnover or up to €10 million- whichever be higher, will be charged.
Though GDPR is making several significant changes, it is not a complete departure of existing principles and system. This regulation will stay with all its challenges and drawbacks, at the same time organizations should stop whining and understand its opportunities as well. This revolutionary data protection regulation will stand on its potential or it will stagger the red tape will be decided on its enforcement on 25th May, 2018.