The Challenges GDPR has Brought to Organisations and the resulting Changes to Processes

GDPR was the most radical rewriting of data protection laws ever undertaken. Adopted in 2016 after four years’ debate and drafting, it had global reach and immediate implications. The challenges GDPR brought to UK organisations were huge. Any enterprise handling European citizens’ data was obligated to audit and account for its use, and put adequate measures in place to ensure its safekeeping, whether in use or at rest. 

While many of these measures were technical – for example, to comply with Article 32’s demand for pseudonymisation and encryption of personal data – other changes were organisational, and affected not only enterprises’ technical architecture, but the way they worked and interacted both internally and with third parties on a daily basis. 

Staffing changes 

Almost three quarters (70%) of organisations surveyed by Deloitte six months after GDPR’s enactment had “seen an increase in staff that are partly or fully focused on GDPR compliance”. This was true both within and outside the bloc. “Comparisons between EU countries and non-EU countries are limited to differences of 1 or 2%… which illustrates the global impact that GDPR has had.” 

In many cases, organisations will have employed their first data protection officer (DPO). This took second place in LinkedIn’s Emerging Jobs Report for UK in 2020, which noted that “as data privacy concerns grow, so too does demand for talent to fill such roles as data protection officer and cyber security specialist”. 

Yet, the position of data protection officer, which organisations are required to appoint under Article 37 of GDPR, has a specific meaning in this context. Thus, notes IT Governance, “experts have suggested that, although organisations will benefit from an independent expert, the DPO role should be reserved strictly for organisations that fit the GDPR’s criteria. Everyone else can appoint someone in an analogous position, such as a GDPR Manager. Doing that gives organisations the flexibility to adapt the role to their specific requirements without inadvertently violating the GDPR’s DPO requirements.” 

Internal vs external DPOs

While large organisations are likely to appoint their own in-house officer, that is not necessarily required. Article 37, Clause 2 states that “A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.” 

The DPO must act with independence, even if they are employed by the data processor themselves and, in many cases, this would make it impossible for existing staff in specified roles to take on the job themselves. Such positions, says Advantio, “may include senior management positions (such as CEO, COO, CFO, Chief Medical Officer, Chief Marketing Officer, Head of Human Resources, or Head of IT department). It also applies to other roles in the organisational structure if they lead to the determination of purposes and means of processing”. 

Thus, there are benefits to contracting with an external organisation to fill the role by providing DPO as a service. “This level of independence is guaranteed with an external DPO,” explains DPOrganizer. “As a DPO needs to report to the board, an internal DPO is likely to be a C-level executive. Their bonus structure and share allocation could make it difficult to be fully independent.” 

Software, systems and process changes

Increased staffing wasn’t the only investment driven by the challenges of GDPR. Deloitte, in the research cited above, found that almost four in five had implemented a data loss prevention solution, among other technologies, although in this instance the difference between EU-native and external organisations was more pronounced, with evidence that “where organisations outside the EU lean towards external tooling, EU based organisations show a preference for internal tools”. 

In many cases, the cloud services on which enterprises increasingly rely now include tools that will help them verify that they are operating in like with the requirements of GDPR and other data processing regulations. Microsoft 365’s Compliance Manager, for example, helps enterprises “manage their compliance posture from one place and conduct real-time risk assessment, providing one intelligent score that reflects their compliance performance against protection regulatory requirements when using Microsoft cloud services.” 

It will also frequently be necessary for enterprises to perform Data Protection Impact Assessments (DPIA) at the outset of any processing that could subject individual data subjects to risk. This will both define the limits of the data processing operation, and identify risks and any measures that could mitigate them.  

Inability to mitigate risk entirely doesn’t necessarily mean that a project cannot go ahead, but UK-based organisations finding themselves in this position are required to consult the Information Commissioner’s Office (ICO) in advance of starting work.  

The ICO undertakes to provide guidance within eight or 14 weeks, depending on the complexity of the case, and may issue formal warnings or ban the processing altogether. In any case, this will require more advanced planning by organisations handling data in a manner that would be covered by the requirements of GDPR. 

Challenges posed by pending UK GDPR legislation

When the UK left the EU, it transposed the requirements of GDPR into domestic law, in the form of UK GDPR. However, the UK recently consulted on potential changes to the law aimed at “developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK,” in the words of culture secretary Oliver Dowden. 

In the interim, this is likely to result in uncertainty, which will prevent organisations from implementing necessary changes. While they can put measures in place to comply with the Data Protection, Privacy and Electronic Communications Regulations, and thus remain compliant with GDPR on the basis of the regulations’ equivalency, they can’t know whether these same measures will be compliant with amendments to UK GDPR when implemented in late 2022 or early 2023. 

Similarly, while it makes sense for UK GDPR to remain as close as possible to the EU’s own GDPR regulations to protect the multi-billion euro cross border trade that relies on continued equivalency, there is no certainty that it will do so. UK-based organisations may therefore find themselves unable to comply both with ‘local’ law, as passed in Westminster, and European law. 

In extreme cases, the only practical solution may be to set up a firewalled subsidiary on the European mainland to deal with European subject data separately from that handled in the UK. This may incur additional costs and prevent organisations from implementing improvements and cost savings across their entire customer or supplier base, or impede their ability to develop a single customer view.