8 typical GDPR challenges and how to solve them: Insights, solutions and methods from the first two years with the new regulation
When the General Data Protection Regulation (GDPR) came into force in 2018, many organizations introduced measures to become GDPR compliant in a rush. Looking back, we can identify four major reasons for the shortcomings that prevail until today:
- The effort for implementing GDPR was underestimated and could not be carried out within the allocated budget.
- In many cases, the implementation was not handed over to experienced project managers and instead needed to be handled on top of the daily business.
- Many times the GDPR implementation was viewed as a one-time project and not an ongoing task. That is why many companies now have a need to catch-up with the changes in the regulation made over the past two years.
- Local law requires country-specific solutions. However, many international companies focused on general EU-GDPR guidelines without taking local adaptations into account.
This leads to the fact that considerable improvement potential is waiting to be tackled. This is especially true as organizations collect and process more and more personal data and the complexity of data handling will steeply increase, and with it costs of compliance, if not handled well.
In this article we share 8 typical GDPR challenges and ways to solve them. We have encountered those issues frequently over the past two years when working with our clients.
- The User experience for many GDPR processes (e.g. DPIA, Register) is terrible. Too much information is being collected and in combination with a lack of clarity in the form that is used to collect input leads to a lot of questions going back and forth.
- As a result, GDPR processes are time intensive for all employees involved (process / system owners, Data Protection Officers and the central GDPR team) and therefore costs of compliance are high.
- Limited risk overview – despite all the effort, the organization often does not know, what currently the biggest risks are and where to focus the efforts.
- Sometimes there is even is a lack of transparency on completeness of the register and the DPIA.
- Awareness for data protection and GDPR with the decision makers in the business is low because the process is perceived as a bureaucratic obligation with no value to the business.
- Business often complains about various central functions requiring similar information around data (e.g. to conduct the Data Privacy Impact Assessment, the Cloud Risk Assessment, Data Retention, etc.), and perceive it as unnecessary additional work.
- Lack of alignment with other central functions like Data Governance and Master Data Management leads to confusion about who is responsible for what.
- Sometimes ownership for the registering data processing activities sits with the system owners, who were identified and trained at the beginning but often lack the business perspective. As a result, the Register and the DPIA cover only system driven data processing activities, excluding manual handling of data e.g. in excel.
Working with those issues again and again, we believe that there are good solutions and methods to master them. Design thinking, simplicity concepts, customer journey design and other breakthrough improvement techniques can help to find and implement more effective and more efficient solutions.
First of all it is important is to create engagement with the business to subsequently improve the quality of input and results. However, a prerequisite is a convincing user experience and journey as a foundation to increase awareness and understanding in the organization.
Solutions to make your GDPR processes fit for the future
Blending our experience with regulations, effective compliance and radical simplicity, here are the 5 most important tips how to make GDPR processes fit for the future:
- A good user experience for the business user is the prerequisite for acceptance and active ownership of compliance by the business (compliance easy to own). Design conventions in the digital world have advanced tremendously towards ease of use, so that any processes with serious shortcomings in this respect will be interpreted as bureaucratic and attempt to make lives difficult.
- Simplify scope and language of information collection. Not every information that could be collected adds value to the case of data protection. Focusing on what is most important will improve both quality of input as well as your overall results. Business Process Redesign can help to rethink processes completely, e.g. instead of long back and forth (so called process ping pong) between different teams it often makes sense to bring teams together for 30 min in a very structured meeting to find answers which otherwise would have taken days and weeks to develop. This helps to drastically reduce lead times (by up to 90%) and improve efficiency by up to 50%.
- Standardization: Very often data protection specialists feel that DPIA and other assessments need individualized and experience-based solutions. However, our experience shows that most can be standardized if only criteria are well defined and explained, together good support during implementation and with regular auditing of the quality of input.
- Ownership should be with the business, not the systems. A transfer is difficult but very worthwhile in the longer run.
- Alignment with different central functions around all data related topics, like Data Governance, like the Cloud Risk Assessment and Data Retention may look challenging at the beginning. But if you do not integrate all those topics into a One Face to the (internal) Customer approach, the business will have difficulties to take you seriously. (They have been working to achieve this towards their customers for a long time!)
On top of that, you should define how data protection can add value to the business. The importance of data and data processing to most business processes will drastically increase. Data2Value and Data Monetization will change the ways we make business and money.
Therefore, Data Protection Teams can play a very important role in not only ensuring the legal basis for data processing as well as avoiding fines and business interruption by the regulators. They can, especially together with Data Governance, trigger new synergies in working with data and be a catalyst for Data2Value innovation.
User Experience Design and Radical Simplicity, proven techniques from the user-centered Design Thinking space, can be very inspiring for compliance processes, especially on how to effectively collect input items like the Privacy Impact Assessment. With these techniques you can often achieve reductions of up to 90% in lead time as well as 50% in efficiency and cost of compliance while increasing quality at the same time.
We recommend to treat GDPR triggered processes like the Privacy Impact Assessment like real business processes: set up KPIs and targets for speed and efficiency and define ways to monitor quality and completeness.
In the last two years we have solidified one thing in particular: Efficient and effective GDPR processes can rarely be achieved through off-the-shelf software solutions or standardized concepts.
If you take data management seriously and believe in the potential value for the business, this can only be achieved through the involvement of the various stakeholders and the joint development of a tailor-made approach for the organization. What sounds like a larger initial investment will pay off over time.
About the Authors
Friedemann Lutz is a Director at OXYGY. He has supported numerous Management Teams to run demanding change initiatives, translate ambitious strategic goals into reality and reach and sustain better business results. Many times he has facilitated the discovery of simple, innovative and customer-centric solutions while eliminating the burden of complexity.
Lennart Schüßler is a Partner in Bird & Bird’s data protection practice group. Over the years he advised many clients from both the public and private sectors, particularly in the healthcare, automotive, financial services, retail and telecommunications sectors. He advises clients on data protection, IT, online and copyright law.