It has been five years since the EU General Data Protection Regulation (GDPR) has become applicable on the 25th of May 2018. Yet, many of the mistakes that companies used to make when GDPR was relatively new continue to be repeated. Unfortunately, the Regulation and its obligations remain largely misunderstood exposing organisations to various risks. In this article, we will explore what are the five big mistakes from our experience that companies do when it comes to GDPR and how to avoid those.
Mistake n°1 – underestimating the importance of tackling GDPR compliance as soon as possible
Many companies especially those not operating in a highly regulated industry such as healthcare or financial sector, do not prioritise GDPR compliance or consider it at all. Why? For various reasons such as:
- GDPR compliance is expensive. It costs money and most of the time a lot of money to hire internal or external resources for GDPR remediation, and to keep the compliance journey alive afterwards. Smaller companies have limited financial resources and would rarely be able to afford such a luxury.
- Prioritising business generating activities is often a question of survival for small companies. In that respect, GDPR appears a lesser threat compared to not being able to cover its business operations costs. So, if at all considered, they decide to tackle GDPR at a later stage when the company is big enough and stable financially.
- Lack of understanding of GDPR and its scope. It happens more often than not that companies do not to know what Personal Data means exactly, or that they assume that GDPR applies only when Sensitive Data is involved and that they do not fall under GDPR when they actually do. Sometimes, companies not operating in a B2C market tend to think that they are GDPR safe as they do not process “client data”. What about employees’ data? This is personal data and GDPR applies.
- Ignoring the long chain of possible risks. It is not all about fines. What about reputational damage? Information transmits in the speed of the light today and a single noisy customer complaining on how their privacy rights or personal data are handled can cause considerable damage to image, brand, credibility, and trust. Think about partnerships, B2B clients, investors – many companies refuse to do business with companies which are not GDPR mature. It is standard procedure before entering into a business relationship to perform a GDPR due diligence. And if you do not pass the due diligence, you may lose an investor, a business partner, or a client.
Why is this thinking dangerous and why it is so important to start addressing GDPR at the earliest stages?
If you think that addressing GDPR is expensive, be sure that not addressing it at all or doing it later is way more expensive. Why? Well, if you fall under the GDPR, it means that you should be able to demonstrate compliance at any time. Grace period is over. Companies had time to sort out and prepare for the new regulation for 2 years between 2016 till 2018. So now, it is very simple, if you process personal data, you need to comply with GDPR. You can’t say, I will wait to first have a stable business and resources and then I will comply with GDPR. It’s just not how it works. It’s not pleasant but it’s not a choice. It’s the same as when, you get revenue, you pay taxes whether you like it or not. It’s simply the law. So, GDPR is not optional, it’s the law and the regulators expect organisations to comply with all its obligations. If you don’t, it’s at your own risk. You are basically running a risk of being fined, investigated, sued and so on. And let’s face it, it’s not only about the fines. Who wants to spend time with administration, preparing files and documents, contacting lawyers instead of focusing on your business? So, forget about the fines but think about all the time and energy you will spend, and the cost related to it if you don’t have your GDPR in order and the ability to easily demonstrate it?
If you secretly wish or think that GDPR might not be relevant to you, you are most probably wrong. GDPR scope (read more here) is so broad that the chances that an organisation does fall under GDPR are bigger than that it doesn’t. So, make sure that you have an expert’s advice on whether GDPR applies to you or not before concluding anything.
The more you wait for addressing it, the more GDPR compliance will be expensive. Why? Because, if you start small, your GDPR remediation is likely to be smaller. Fewer business processes, means fewer activities involving personal data. This means lesser record of processing documentation, lesser assessments, lesser legal documents. Fewer, personal data processing activities, means as well potentially fewer data transfers, which means fewer data processing agreements and less due diligence (TPRM – third parties risk management) but as well lesser risk of data breaches. So, if you start addressing your GDPR at the very early stages, it won’t cost you a lot and your GDPR compliance maturity will grow together with your business as it should be, meaning that the cost for your compliance will grow proportionately with your business. On the other hand, if you wait until your business grows and that you are financially stable to address your GDPR compliance, it means first that you run a risk of not being compliant for a certain period and second, that you might need to dedicate a much more important budget for GDPR remediation as you would need to tackle it backwards. This means more complexity and thus more expertise, more time required, this means as well larger scope and higher risk to miss out on things, it means project management, it means more time to be dedicated from your business to GDPR. Then GDPR becomes a project on its own costing you time, money, internal and external resources, time of your business that they can instead dedicate to other activities. GDPR should not be a project, it should be a constant and incremental effort that is always there but does not pump all your time and resources to the detriment of your business. And this is achievable only if you start tackling it as soon as possible!
Mistake n°2 – thinking that only large companies get fined
A common misconception is that only large companies get fined. Surely, large fines of multiple millions applied to companies such as Amazon, Google and Facebook make the first pages for many weeks and get more media attention. However, the reality is that fines are applied to all types of organisations failing to comply with GDPR and here is the proof for this (you can see all the fines imposed in the EU since the beginning of GDPR here). Of course, the bigger the company, the bigger the fine is likely to be as one way of calculating the fines is as a % of the company’s turnover and which can reach up to 4% (out of the annual group turnover). So, logically, fines for smaller companies are smaller but not necessarily.
GDPR applies to all organisations that process personal data, regardless of their size, industry or sector. In fact, smaller companies may be at an even greater risk of receiving fines due to their limited resources and lack of compliance expertise. Smaller companies may not have the same level of understanding about GDPR compliance and the regulatory landscape. Since 2018, there has been a total of 1541 fines imposed amounting to € 2,761,586,432!!! Some of those fines have been imposed even to INDIVIDUALS. Therefore, thinking that not being a large corporation, saves your from GDPR fines, exposes you to even a higher likelihood of non-compliance and subsequent fines.
Mistake n°3 – thinking that GDPR compliance is only about marketing emails consent and cookies
We still hear way too often “We use mailchimp or other for our marketing emails consent, so we are GDPR covered”.
The GDPR contains 99 articles.
Roughly, half of those impose obligations to companies. Consent is only one legal basis out of six as stated in one article out of 99. Indeed, consent is required in certain circumstances. Making sure that marketing emails opt-ins and outs are well managed is surely key. However, there are many other cornerstone obligations such as:
- Record of Processing Activities (art. 30 GDPR): organisations (with few exceptions) are required documenting their personal data processing activities AND keeping this record up-to-date. In case of internal or external audit, investigations or other, this is in all likelihood the first document that will be requested. This record is your “map” of your personal data flows. So, in reality, beyond it being a GDPR obligation, it can be very useful for you establishing a sound data governance and generally being informed and in control of what data you hold, where, for what and how you use it. As you can imagine, this exercise can be fairly long and painful, so the earlier you start the better. Good part is that the smaller the organisation is, the smaller the scope of this exercise is likely to be. Once the record is built, then you would only need to keep-it-up to date which normally requires considerably less work as organisations do not change their processes that often. However, how to keep it up-to date? Well, for this, you need to develop and document processes and implement them into your business.
- Data Protection Impact Assessments (DPIA) (art. 35 GDPR): in certain cases, organisations are required to perform an impact assessment related to the privacy risks to individuals stemming from the introduction of a new product, process, service or more generally personal data processing activity. Besides the fact that the DPIA has to be performed and follow a methodology aligned with the GDPR and the Regulatory Guidance, this obligation means as well having various processes. Processes to identify and assess when a DPIA actually needs to be performed (the triggers), clarity on who is responsible for performing it and a validation process, process for establishing a remediation plan where necessary and following up on this one.
- Data Breaches (art. 33, 34 GDPR): a lot of the fines concern data breaches. While no one is safe from a data breach, it is mandatory to have the right measures and processes in place to be able to discover and rapidly and effectively manage the risks stemming from a personal data breach. The GDPR requires to notify within 72 hours to the competent regulator personal data breaches presenting a risk and to individuals concerned data breaches presenting a HIGH risk. What does this mean into practice is having various set of well-orchestrated processes enabling to rapidly discover a personal data breach, report it internally, assess its risk (from a GDPR perspective which is not the same as organisaational risk perspective – the common mistake) and make a decision whether to notify it and to whom.
- Data Processors (art. 28 GDPR): it is required to have signed contract called Data Processing Agreement (DPA) with all third parties which process personal data on your behalf. The contract should define amongst others the organisational and security measures that the third-party has in place to ensure a high standard of data protection. While drafting, negotiating, and simply keeping track of your DPAs can on its own be overwhelming, unfortunately, that’s not all. To ensure that the contract is more than just a document expressing good intentions, it's crucial to establish processes that allow for effective control before (through due diligence) and after (through audits) entering into a contractual relationship with a third-party. These processes should be designed to ensure that the contract is enforceable and that both parties are compliant with relevant laws and regulations. Additionally, it's important to note that this responsbility is not one-sided. As a third-party, if you will be handling personal data on behalf of a client or partner, they will likely require you to undergo GDPR due diligence. Failure to demonstrate GDPR compliance could result in lost partnerships or clients. Therefore, both parties must prioritize due diligence and audits to ensure a succesful and compliant contractual relationship.
You see that only those four out of many more obligations and articles in the GDRP already require a substantial amount of work and expertise to define, document and implement various policies, processes, frameworks, and risk assessment methodologies.
Mistake n°4 – cumulating the Data Protection Officer (DPO) role within their IT
Having a DPO is a legal requirement for some organisations. Others may choose to appoint one but do not have a legal obligation to do so. However, the situation is that DPO is a regulated role. While it doesn’t have the same heavy requirements as for Compliance Officer, yet the DPO role is established by the law – the GDPR. For example, DPO’s must be registered with the competent authority and have to be independent and free of any conflict of interest. Way too often we have seen and continue to see that especially where resources are limited, DPO hat is cumulated with IT, Data teams or other. A DPO must be impartial, independent and have a comprehensive understanding of data protection regulations and best practices. While IT security is intrinsic to privacy and data protection, these are two different concepts with sometimes different objectives. An IT will often be more focused on technical solutions and IT security rather than privacy. By combining those two roles, organisations risk diluting the attention and resources devoted to data protection and potentially overlooking critical issues due to conflicting priorities. In short, IT professionals are essential for implementing data protection measures, appointing them as DPOs however is not recommended as it can jeopardise the integrity of data protection efforts.
Actually, we have seen that regulators are very strict on the independence criteria for DPOs. The Proximus case is a prime example for this. In 2020, the Belgian Data Protection Authority fined the Belgian Telecom company Proximus for appointing the Head of the Compliance, Risk Management, and Internal Audit departments as DPO failing to protect the DPO from conflicts of interest.
In that regard and in case of limited resources, it could be wiser to appoint an outsourced DPO.
Mistake n°5 – thinking it’s a one-time exercise that can be outsourced once to a law or consulting firm
Some companies think that after hiring a Legal firm which drafts their Data Protection Policy, Privacy notices, DPAs and other GDPR legal documentation, they are safe and GDPR compliant. This cannot be more wrong. While having your legal documents in order and up to date is crucial, it is as important to have those policies actually implemented on a continuous basis within the organisation. How do we do that? By processes, processes, processes, training, training, training, and controlling and monitoring that the processes are respected. So, thinking that after completing the legal documents and the record of processing, your GDPR job is done would be wrong and risky. Don’t throw all your efforts in the bin by stopping after your GDPR remediation journey. GDPR compliance is an ongoing process. Therefore, it is critical to have the right processes in place well implemented and orchestrated as early as possible. The better those processes are embedded, the stronger your GDPR organisational culture will be and the less painful maintaining GDPR compliance will become. Ensuring data privacy is not just the responsibility of the Data Protection Officer and the privacy team, but rather a responsibility and engagement that should be embraced by the entire organization both vertically and horizontally.
So what are the key takeaways and how to avoid this five mistakes?
- Start ASAP! Better start small rather than wait and start big. GDPR requires a risk-based approach. This means applying a step-by-step approach prioritising first the key risks with proportionate measures. How to know your key risks? Start with a GDPR gap/maturity assessment.
- Consult a privacy expert to ensure whether GDPR applies to your organization or not. Make sure it is an actual expert, someone with a proven record of expertise and a number of years of experience within EU data protection laws. Nowadays, we see many people interested in becoming GDPR experts but lacking actual EU regulatory experience. This often leads to incorrect interpretation of the law and/or incorrect implementation. Don’t skimp on expertise as doing so will likely cost you more afterwards.
- Think process, business integration and engagement. Even if you have the best GDPR legal documents such as contracts, policies, and privacy notices in place, this is not enough and cannot constitute full-fledged compliance. It would be like buying a car which has a seatbelt but not putting the seatbelt while driving the car. You need implementation and continuity.
- Take time to find the right DPO. It is a regulated role which requires certain expertise, seniority, and independence. Meanwhile, better to outsource.
Want to know how iReina Platform and team can help you achieve this and avoid these mistakes painlessly in a cost-effective way? Request a demo today