GDPR RESEARCH 2019: Operationalization of the GDPR in Organizations

This GDPR research carried out by Data Privacy Manager revealed that businesses had taken a very different approach to the GDPR compliance. We interviewed Data Protection Officers (DPO) from 29 various companies.

This GDPR research will show you the key takeaways and present overall GDPR readiness of surveyed companies. Let’s move on to the first question.

How are you currently keeping the records of processing activities?

Records of processing activities, data retention, and data subjects’ requests GDPR research findings:

• A surprisingly high percentage of respondents keep ROPA in Excel (54%). Only 14% automated their operations with software specialized for the GDPR.

How are Organizations currently keeping ROPA?

DPM: Excel is the starting point for most companies when they create their records of processing activities. However, it usually creates even more obstacles due to its inability to connect the ROPA with different IT systems.

In addition, you cannot segregate ownership between departments. It means that everyone with access to Excel will be able to see all Excel sheets and records, which is not the goal.

Each department (e.g., Marketing, HR) will have their own Excel sheets and will need to update them regularly and send them to the DPO who will struggle to integrate them all in one place.

• Even though most companies still keep ROPA in Excel, over 82% of them consider that Excel is not an optimal tool to manage ROPA.

Is Excel the optimal tool for keeping ROPA?

DPM: This is just a confirmation of our previous finding, as well as our previous statement that Excel is not the best solution for the ROPA.

It means that 4 out of 5 DPOs will look for a different solution to their issues concerning the efficiency of keeping ROPA in Excel. This is where specialized GDPR software can help.

• More than half of them (64%) have defined data retention policies regarding personal data. It is astonishing that more than a year after GDPR came in full enforcement 35% of companies did not define their data retention policies or don’t know.

Have Organizations defined data retention policies?

DPM: It is very important that you define how long will you keep personal data after a lawful basis has expired. It will serve you as an established protocol for retaining data for operational needs, but also to demonstrate compliance to the regulatory body.

If you properly define data retention policy, you will know exactly how long you keep personal data and in which systems.

We advise you to implement a data retention policy in cooperation with your IT and legal team to make sure you will be able to delete or mask data when the time comes.

• There are still not a lot of data subjects’ requests. 41% of respondents did not receive any requests so far, 37% received between 1 and 10, while the rest of the respondents (22%) received more than 11 data subjects’ requests.

DPM: Relatively small number of data subjects’ requests shows us that the general population is still not fully aware of their rights according to the GDPR.

The GDPR granted rights, such as the right to be forgotten, the right to information, are important to an individual who wants to make sure their personal data is being processed in a proper and transparent way. The full list of the GDPR rights of the data subjects is displayed here.

How many data subjects’ request has been filed so far?

The biggest ROPA challenges are related to data retention and data subjects’ requests. In the research, DPO’s stated they struggle the most with:

• “Defining privacy policies and documentation, technical solutions, and data administration, as well as foreseeing the challenges.”
• “Awareness of an individual about their rights. Insufficient protection of legitimate interest.”
• “Data mapping and manual deletion.”
• “Inquiries on the web.”
• “There are no rules of the profession in human resources, so it is difficult to define data retention rules.”

Consent and Preferences management GDPR research findings:

• Almost 90% of companies process some of the personal data based on consent

Are Organizations processing personal data on the basis of consent?

DPM: Since the majority of organizations process personal data based on consent, it becomes clear that the consent and preferences management solutions have very high importance of keeping the everyday business efficient.

It is necessary that the solution for consent and preferences is synchronized with acquisition channels (web, mobile app, customer portals, etc.) and with other IT systems, such as CRM, and that it ensures transparent marketing communications. With such a solution, there will be no fear of wondering if the line has been crossed with clients.

• Companies tend to process more than a few personal data based on consents. Over 90% of surveyed answered that they have at least 3 different processing activities based on consents.

How many different processing of personal data do organizations conduct on the basis of consent?

DPM: From our experience, once a company starts to implement GDPR processes and solutions, there is a tendency to keep a smaller number of consent definitions. However, as time goes by, it becomes very clear that the GDPR requires stricter processes and granulations.

Better informed Data Subjects will not opt-in if they see more purposes tied to one particular consent. It is mandatory to define one consent for each purpose.

• Most companies either do not keep personal data at all after the consent expired, or they did not define the time they would keep personal data based on a particular consent. 31% do not keep personal data in such cases, while 39% of them did not define data retention policies.

How long do organizations keep personal data after consent expires?

DPM: Some companies want to eliminate all possible risk, therefore, they do not keep personal data at all after the expiration of the consent.

However, the highest number of responses (38%) did not define their actions towards data retention. Seems like most companies are in the dark when it comes to storing or removing data. If you are looking for a solution to remove data download our e-book:

• Companies are still unsure about using re-consents. Half of them still do not know whether they will use re-consents before the consent expires, while only 20% plan to ask for another consent before the existing one expires.

Is marketing planning to ask for re-consents?

DPM: The marketing department wants to keep their database filled with customers’ personal data. That’s why opting-out or the expiration of consent are not their favorite cases.

Most of them still do not have a clear action plan on how to behave after the consent expires, and that’s why 50% of them still do not know if they will ask for re-consent.

Data Protection Officers were also asked what are the biggest challenges concerning consent management in their companies. Here are some of the answers:

• “Marketing”
• “Data destruction”
• “Automation of data processing”
• “Manual data entry and data management”
• “Defining records of processing activities and legal basis for processing”
• “Detecting personal data in IT systems”

The GDPR is obviously a challenge, and although lots of companies have defined their policies and started their processes in the direction of GDPR compliance, most of them still struggle with different IT systems and amount of data across the systems, as well as inability to effectively manage consents and records of processing activities in Excel.

With all that in mind, it is highly recommended that companies begin to operationalize their processes that are affected by the GDPR.

There are different obstacles and challenges in each company, so plenty of solutions can come in handy.

Did you come across some of the GDPR challenges mentioned in the GDPR research? Let us know what GDPR challenges do you face in your company and we will contact you and help you.