In a GDPR compliance process, being aware of the pitfalls to avoid can be useful. We have identified five mistakes that can easily block the path towards full adherence.
According to the GDPR barometer published by Data Legal Drive in 2021, a significant number of French companies and public bodies believed that they had reached a level of GDPR compliance of more than 70%, while the minority revealed a compliance rate of less than 50%.
This same barometer also highlights that the digitisation of corporate data governance, still very timid in 2019 and 2020, jumped in 2021. 31% of respondents had digitised their registers, more than double that of 2019. However, 62% of DPOs (Data Protection Officers) and lawyers surveyed still carry out their registers using Excel.
In this context, it is interesting to ask what mistakes to avoid when a company is engaged in a GDPR compliance process. We have identified five.
1) Not considering GDPR compliance as a business project
GDPR compliance is a real business project. If a DPO considers that it is up to him, and him alone, to instil the GDPR dynamic in his organisation, he is mistaken. If the DPO goes it alone, if he works in an isolated and non-collaborative way, if the GDPR compliance project lives its life in parallel, his approach is strongly doomed to failure.
To achieve compliance, it is indeed necessary to involve the management of the company and ALL business departments. Without massive sponsorship from the general management, and without active participation from the business departments, the project has little chance of success. Similarly, the DPO must work closely with the company’s CIO and CISO.
2) Not being sensitive to sensitive data
GDPR compliance is a project that closely affects the company’s most sensitive data. If we do not perceive the highly strategic issues related to this data, it is because we do not want to protect all of the company’s datasets, from customer data to employee data, through to subcontractors.
A security management system, such as the 27001 standard, can be a good springboard for GDPR compliance. By covering the five major risks related to the protection of personal data (confidentiality, integrity, availability, identification, and retention period of data), this type of approach provides a solid framework and support.
3) Making the DPO judge and the judged
This error is similar to the first in that the DPO must be positioned in the company as a guide and not as someone who makes all decisions or does all the work. If the DPO sets up new processes and then checks that their work has been done, this is the best way to discredit their action.
Conversely, the DPO must be put in a position of super advisor to the business entities. His role should be that of a conductor. The company’s business departments, with its support, must take an interest in the data collected, for example on employees, during the recruitment, integration, payroll or departure phases, or on customers (commercial software/CRM…).
4) Not giving yourself the means to match your ambitions
Talking about the means to be devoted to GDPR compliance, which means evoking a multitude of realities that vary according to the organisations, their sector of activity, their turnover, their size, etc.
That said, not setting up a team dedicated to this very particular project, not allocating a specific budget to it, not granting it resources (the purchase of specialised software for example, if the need arises), not giving the DPO the means for their mission without planning or a timetable, is quite simply putting oneself in a situation of failure.
Likewise, not asking yourself the question of the support you could benefit from, e.g., by a specialised consulting company, means giving up the potential benefits that external expertise could bring. This is all the more true when the DPO is not full time.
5) Relying solely on technology
GDPR compliance is not just about databases or dashboards. Governance is important, as discussed earlier. Assumed leadership from the management of the company is essential.
Beyond this aspect, GDPR compliance can also be seen as an opportunity to create value for the company. Many indicators can indeed be extracted from manipulated databases, which can generate valuable insights for all departments and create a lasting competitive advantage.