What are the challenges of General Data Protection Regulation
1. Many new requirements
It’s the EU legislators’ firm intent to increase the accountability of any person processing personal data. How? By imposing responsibilities and requiring to demonstrate compliance therewith at all times. For instance, to encourage transparency, various obligations will regulate information, access and communication with the data subject. New and improved rights for the data subject, such as the right to data portability and the right to be forgotten, will impact companies because such rights will need to be accommodated in their internal processes.
2.Very process-driven
The GDPR sets out specific processes for companies to adopt. It intends to help companies structure and formalize certain subject areas like risk assessment and decision making. By putting these structured processes in place, companies can work more efficiently and achieve compliance with the privacy rules. For instance, a data protection impact assessment (PIA) becomes a mandatory pre-requisite before engaging in any data processing that may result in a high risk to the rights and freedoms of individuals. Also, the privacy-by-design and by-default principles require companies to incorporate privacy into the architecture of their products and services. Furthermore, organizations are expressly encouraged to certify their data processing with a supervisory authority or an approved certification body.
3.Very tangible and visible/verifiable functions and steps need to be realized
It’s not only a question of complying with general principles, such as data minimization or accuracy; the GDPR also imposes very concrete measures. For instance, the GDPR imposes an obligation on companies to keep internal records of their data protection activities. Also, data breaches must not only be notified without undue delay but must also be documented, explaining the underlying facts, the effects, and the remedial action taken. And there is more: new roles will be created, such as the Data Protection Officer (DPO). Appointing a DPO can be mandatory, for example for businesses engaging in profiling or tracking online behaviour or for biomedical companies that process health data.
4.A moving target
Some requirements of the GDPR may remain difficult to implement for some time, as additional guidance on the GDPR is still forthcoming. However, it is imperative that companies take a proactive approach and avoid leaving it too late. In particular, undefined terms such as “undue delay”, “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will need to evolve into a certain market practice or be further clarified by courts and regulators.
Feel free to contact E-SPIN for the solution for your system and operation to reduce risk of your businesses and organization. We can secure and protect your businesses with our various software security technology, include General Data Protection Regulation (GDPR) regulatory compliance technologies and solutions.