Manage the Top 10 GDPR Operational Impacts (Part II)

Posted by Jeff Pelliccio on Oct 18, 2017 9:00:00 AM

In ICS insights

In a previous post in our ongoing series discussing the General Data Protection Regulation (GDPR or the Regulation), we started taking a closer look at the top 10 GDPR operational impacts and how you can manage them with ease, as long as you enlist an all-star team.  

We left off at the fourth top operational impact that businesses face with the implementation of this new regulation with worldwide impact. No matter how prepared you are for the upcoming May 25, 2018 deadline, it may help to understand the potential challenges that may require—at least temporarily—drawing on extra resources until the Regulation becomes more second-nature for your GDPR team.  

Let's Pick Up at Number Five of the Top 10 GDPR Operational Impacts 

Continue to tighten up your GDPR preparation strategy to avoid falling prey to any of the next six GDPR operational impacts:  

5. The Right to Be Forgotten  

This new right for customers may cause a significant strain on companies that store personal data across multiple systems. The right to be forgotten grants customers the right to request that certain information about them be erased from the company's system. If you have data stored at multiple sites, or within any non-connected system, this requirement may certainly create some extra work for any European customers who should choose to use the option.  

You may receive a limited number of requests on this front, which would spare your IT team the extra workload, but you must prepare in case this right becomes popular. Devise a strategy that involves the following, according to PwC:  

  • Maintain data inventories.  

  • Accelerate data governance strategies.  

  • Re-design key systems for a more efficient methodology of processing requests.  

6. The Right to Data Portability  

Another new right for European customers is for data portability, which is the GDPR response to the "big data" trend, reports IAPP. The Regulation's Article 20 is the right to data portability, which gives "the data subject the right to receive the personal data concerning him or her, which he or she has provided to a controller," per the official GDPR recital.  

Upon request, your data controllers must provide the data in a commonly used and "machine-readable" format so that other organizations can easily read the data. Following are a few additional considerations involving the right to data portability:  

  • You must provide the data free of charge. 

  • Per the individual's request, you may send the data directly to the party of their choosing, if technologically reasonable. You do not have to adopt or maintain new systems to ensure compatibility with other companies.   

7. Codes of Conduct and Certifications 

While the codes of conduct and certifications requirements—under Article 41 of the GDPR—may draw fairly heavily on your organization's resources upfront, they can help you to ensure and demonstrate consistent compliance. This requirement provides guidance on the GDPR's requirements, offers compliance transparency and allows third-party oversight to check on controllers' and processors' data handling practices.  

Below are just a few of the many items addressed under Article 41 that your legal and compliance team will need to monitor: 

  • Fair and transparent processing.  

  • The collection of personal customer data. 

  • The exercise of the rights of the data subjects. 

8. The Mandatory Data Protection Officer  

Under the GDPR, large companies must hire a designated Data Protection Officer (DPO). Your organization's data controller and processor must assign a qualified individual for GDPR compliance. Article 37 of the Regulation does not state any specific qualifications of the DPO outside of their "expert knowledge of data protection law and practices," notes IAPP.  

Consider a few of the many crucial tasks of the DPO as you search for the right person to take on this important role:  

  • Inform and advise the controller or the processor, as well as their employees, about their obligations to comply with the GDPR and other data protection laws.  

  • Provide counsel regarding the data protection impact assessments when necessary, according to Article 35.  

9. Restricted Profiling 

The IAPP states that, "under Article 4, data processing may be characterized as 'profiling' when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person."  

Essentially, your controllers must honor all the rights afforded to data subjects under the GDPR, including:  

  • Notice and access.  

  • The right to object, halt profiling and to avoid profiling-based decisions.   

10. Consequences, Penalties, and Fines  

Nothing epitomizes "operational impact" quite like fines, penalties, and other possible consequences, and the GDPR is packed with them. One way to ward off this operational impact is to make sure you have prepared your organization's various teams to keep the first nine operational impacts in check.  

Keep your executive board and accounting and finance team happy by focusing on the first nine operational impacts to avoid penalties, such as fines levied by regulators in the amount of €20 million or four percent of annual global turnover, or whichever is higher, if found in non-compliance.  

Get Ready to Minimize Operational Impacts by Building an All-Star GDPR Team  

Avoiding the stress involved with GDPR operational impacts comes down to your development of a decisive strategy and a stellar team filled with IT experts, legal and compliance pros, and accounting and finance wizards.  

Let us help minimize any GDPR-related stress you may be experiencing by recommending some ace players in any of the team positions you need to fill. 

Find Talent NOW

FTN Legal Compliance.png