What are the challenges?
1. Many new requirements
It’s the EU legislators’ firm intent to increase the accountability of any person processing personal data. How? By imposing responsibilities and requiring to demonstrate compliance therewith at all times. For instance, to encourage transparency, various obligations will regulate information, access and communication with the data subject. New and improved rights for the data subject, such as the right to data portability and the right to be forgotten, will impact companies because such rights will need to be accommodated in their internal processes.
2. Very process-driven
The GDPR sets out specific processes for companies to adopt. It intends to help companies structure and formalize certain subject areas like risk assessment and decision making. By putting these structured processes in place, companies can work more efficiently and achieve compliance with the privacy rules. For instance, a data protection impact assessment (PIA) becomes a mandatory pre-requisite before engaging in any data processing that may result in a high risk to the rights and freedoms of individuals. Also, the privacy-by-design and by-default principles require companies to incorporate privacy into the architecture of their products and services. Furthermore, organizations are expressly encouraged to certify their data processing with a supervisory authority or an approved certification body.
3. Very tangible and visible/verifiable functions and steps need to be realized
It’s not only a question of complying with general principles, such as data minimization or accuracy; the GDPR also imposes very concrete measures. For instance, the GDPR imposes an obligation on companies to keep internal records of their data protection activities. Also, data breaches must not only be notified without undue delay but must also be documented, explaining the underlying facts, the effects, and the remedial action taken. And there is more: new roles will be created, such as the Data Protection Officer (DPO). Appointing a DPO can be mandatory, for example for businesses engaging in profiling or tracking online behaviour or for biomedical companies that process health data.
4. Increased fines and sanctions
The GDPR could have a huge impact for companies failing to comply. The supervisory authorities can take one or more measures listed in the GDPR, such as (i) issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine up to EUR 20,000,000 or 4% of the total worldwide turnover, depending on the circumstances of each individual case, or both.
5. A moving target
Some requirements of the GDPR may remain difficult to implement for some time, as additional guidance on the GDPR is still forthcoming. However, it is imperative that companies take a proactive approach and avoid leaving it too late. In particular, undefined terms such as "undue delay", “likelihood of (high) risk to rights and freedoms" and "disproportionate effort" will need to evolve into a certain market practice or be further clarified by courts and regulators.
6. Need for a company-wide project
Because of the above implications, companies should adopt a project-based approach to implementation across the company. Fact finding, objective gap analysis, realistic milestones, clearly defined roles, tasks and responsibilities will help you break down such an implementation into easily manageable units