Challenges for GDPR Compliance
The European Commission’s General Data Protection Regulation (GDPR) has many stringent rules regarding the collection and processing of personal data that are complex and technical. A lot needs to happen when you are processing personal data and those responsible must be able to demonstrate that they did what is necessary in order to comply with their legal obligations.
Business processes need to be refined for the specific requirements of the GDPR. For example, the GDPR increases the risk related to a consent-based business model considerably by imposing additional and onerous requirements with respect to informed consent.
Data controllers and their processors will also need to give careful attention to their consent processes and the way they phrase their privacy policies. If companies have considered their consent processes and policy to be a formality they are likely to run into problems under the consent requirements in the GDPR. (A general text such as “We will not use your health data for marketing purposes” is not sufficient to be compliant. The user has to be fully informed about the purposes of data processing and how the data is used.)
The challenges for achieving GDPR compliance also arise from personal data being ubiquitous and therefore:
- almost all organisational processes need to be examined and where necessary action taken in order to comply with the rules of the GDPR
- non-compliance is a constant threat as personal data is processed all the time
- data protection is required by design and by default
- responses to instances of non-compliance are required to be quick
- data controllers and processors must be able to demonstrate compliance and commitment to protecting fundamental rights across their entire organisation.
The Need for Continuous Improvement
The GDPR establishes the “state of the art” as one of the criteria for the appropriate technological measures. This means that the most privacy friendly solutions available contribute to setting the threshold for what can be accepted as appropriate solution.
If a good solution for a common data protection issue has been found and implemented in practice, there is no good excuse any more for applying a less data protection compliant solution.
This evolution of the state of the art necessitates a dynamic process of continuous improvement of data protection. The more and better data protection by design is implemented, the more it will become the baseline for all controllers to achieve in their implementations.