With less than a month before it eventually rolls out across the EU, the GDPR is still treated by many businesses as a complicated piece of legislation triggering serious debate between professionals and regulators and imposing a heavy compliance burden for large organizations. However, the GDPR implementation date – May 25, 2018 – should be looked at more as a starting line rather than a hard deadline, providing organizations with the opportunity to map – through their search to identify any personal data processing – both their entire corporate life and their day-to-day operations.
The initial key for any organization to start any compliance process should be raising internal awareness by asking experts and team leaders from across the organization to join forces and decide on the best GDPR-compliance and implementation practices, taking into account the actual needs and weaknesses of the business. It is crucial for the organization to invite all internal stakeholders on board, from the customer support service, to the human resources staff, up to the strategic intelligence unit, in order to jointly identify optimized implementation practices, set new standards, and gradually structure the business ecosystem upon which all actions and initiatives will be deployed.
An additional fundamental exercise that any large organization should attempt prior to undergoing a comprehensive data audit should be to design an effective budget plan for the project. The organization should be prepared to commit valuable resources into the project in terms of time, manpower, and money, to assess its size and market exposure, the rough amount of personal data processed as part of its core business, and the extent of its interaction with third-parties and/or non-EU countries.
The compliance project should commence as soon as the organization has received a gap analysis assessment from its trusted privacy advisor. This is a report setting out all elements identified during the assessment of the current status of the organization which are not compatible with the requirements of the GDPR. When it comes to the gap analysis assessment, organizations may choose between either a quick, tick-box, assessment, leading to a high-level implementation plan, or a quality assessment, including a more thorough examination of all frameworks, organizational aspects, strategies, and management practices that will produce a detailed data mapping portraying in full deployment the processes and flow of personal data within the organization. In any case, the assessment approach shall definitely depend upon the maturity level of the organization, the existence of written policies, and the actual implementation thereof.
The GDPR demands a radical shift in the corporate structure and mentality of the organization, as the relevant compliance process is extremely intrusive to the day-to-day life of businesses. It is this highly intrusive nature of the GDPR compliance procedure that makes organizations’ leadership reluctant to undertake compliance efforts and cooperate efficiently with their privacy advisors, especially when their compliance scheme entails interviews. In particular, when interviewed about their organizations’ operations, data processing and flow, and on their daily activities, executives frequently develop a defense response mechanism similar to the one used by people under interrogation, often invoking common avoidance excuses that they hope will disengage them from the interview process.
However, as reality sets in, the GDPR looks more like an opportunity for businesses rather than a crisis point. The GDPR compliance process is a win-win situation for organizations, as it provides them with the opportunity to create business value, improve their operational structure, and eventually gain a competitive advantage. GDPR-compliant organizations will immediately get ahead of their industry competitors by attracting clients who value their data and wish to trust it to an organization sharing the same principles.
In full awareness that reaching maturity levels may be a long process, organizations should ensure that their GDPR compliance is sustainable; such sustainability may be achieved through ongoing monitoring and assessment of the organization’s policies and operations, permanent training of staff, and developing of technical and operational measures that will ensure that the organization will always be in a position to demonstrate readiness and accountability.
By Michalis Kosmopoulos, Partner, Mariliza Kyparissi, Senior Associate, Drakopoulos
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.