The last two years since the GDPR legislation was applied was a time with countless challenges, for both companies and DPOs. We asked six data protection specialists which was the biggest challenge the professionals in the data protection field faced during this period.
Bogdan Manolea, a legal expert, briefly indicates three main pains for the data protection professionals during the first 2 years: “To exist. To learn. To apply”.
Bogdan Manolea further develops his idea: “The biggest challenge for this profession was to exist, because, before 2018 there were only a few specialists with expertise in data protection. The second challenge was to receive the proper training and also, to find additional educational resources. And the third was to be able to apply what they have learned in their day to day activity. And, nonetheless, to persuade the management that certain changes are required under the new circumstances.”
For Serban Popa, GDPR consultant at Unity Solutions, the biggest problem was “To acknowledge the necessity of adapting and conforming the processes and activities to the new requirements. Also, to be aware that all of this effort will pay off in terms of clients’ and partners’ trust”.
Raluca Puscas, Partner at Filip & Company emphasizes the main challenge: “To integrate the requests regarding data protection into the day-to-day activity of companies, by creating awareness within the organization, as well as the habit of integrating the GDPR rules in all the activity lines and the new products developed by the company.”
Raluca Puscas makes another important comment: “Besides their specific activity, the data protection specialists faced the challenge of defining their own role within the organization, combined with the task of explaining and convincing that GDPR compliance is not an obstacle in developing the business or in launching new products”. She added that adapting to a continuous changing business environment and quick reactions in a crisis situation (like COVID-19 or, more generally, data breaches) also “involves prompt answers and reactions from data protection specialists and these circumstances require a continuous focus and adequate knowledge from the data protection specialists”.
For Stefan Iancu, GDPR Consultant at iPrivacy, the biggest challenges were: “On one hand, clear communication, integration of GDPR compliance objectives at senior management level, ensuring the buy-in and obtaining the required resources within the company; on the other hand, extended DPO`s expertise, in the area of Internal and External Communication, IT, Legal, Risk management, Audit, and Training skills”.
Roxana Mitroi, Attorney at Law at bpv GRIGORESCU STEFANICA, thinks that “mapping – of personal data processed and of activities” – was one of the biggest challenges. Other problems were related to “sensitive areas where consultants’ opinion was asked for. Some business areas such as marketing, profiling, behavior monitoring through new technologies represented opportunities for specialists to shine innovation and expertise. Under these circumstances, it’s important to identify a balance between business needs and GDPR compliance”.
Roxana Mitroi mentions that other challenges are due to “the lack of minimum procedures for data protection and security of data and also, the lack of training for employees regarding personal data processing. That’s why we always start GDPR compliance process projects with training sessions for employees”.
For Marius Dumitrescu, Data Management and GDPR Compliance Solutions Specialist, “Data subjects are actually the biggest challenge for all privacy protection systems. Due to the individual's lack of GDPR and privacy awareness, all industries faced unjustified complaints regarding data subjects’ rights.”
In Marius Dumitrescu’s opinion, “Data Protection Officer (DPO) is the guardian of privacy and data protection processing mechanisms; DPO – this new role – is probably facing the biggest professional challenges due to the general characteristics of the GDPR Law and due to the lack of specific indications regarding standardized implementation”. He adds that the Romanian name of this new role (“Responsabil”) is misleading, because it’s enforcing the idea that the whole responsibility lays on DPO’s shoulders, which is false, and in reality, almost all professionals are starting every project by educating the management of GDPR principles and procedures.”