Aside from setting up an internal governance and proper organisation allowing to ensure GDPR compliance, which is a challenge in itself, companies have had, over the past few months, to comply with several obligations such as to create their data processing register, to provide mandatory information to data subjects, to adapt some existing agreements, etc.
The negotiation of new GDPR-related provisions with service providers acting as data processors is an ongoing challenge. Indeed, aside from the question of the qualification as data processor, which is many times contested, rightfully or not, by service providers refusing to be considered as a data processor and therefore having to comply with new obligations, the negotiations of the provisions themselves can be tricky. “What we have notably seen is that data processors try to limit the right of audit provision, they also try to limit their liability by putting a cap on the amount they would have to pay in case of breach of their data protection obligations,” explains Audrey Rustichelli.
On the other side, companies acting as data controllers often try to take this as an opportunity to add more obligations on the data processors than already required under the GDPR. This can be very time consuming for organisations acting as data processors which therefore have to sign and negotiate new GDPR provisions with all their clients.
An operational and IT challenge as the real question is how to implement legal retention periods for documents in practice.
Other considerations evolve around the management of access requests from data subjects, which seem to happen less than expected by some organisations but have nevertheless created lots of questions on how to handle them. Companies had to find a modus operandi to provide a copy of the data, as literally requested by the GDPR, and not affect other data subjects rights while doing so. The approach taken by most companies has been to respond to access requests in the form of a table listing the categories of personal data processed, etc., and to only provide the documents containing the data upon the specific request of such documents from the data subject.
Another challenge for companies is obviously the management of retention periods. Knowing when you are legally required to erase a data or destroy a document is not the hardest part but it is also “an operational and IT challenge as the real question is how to implement legal retention periods for documents in practice,” explains Audrey Rustichelli. Companies need to dedicate time to know what they store and why, and to find ways, with existing internal technologies or new solutions, to manage the data lifecycle in a way that will help them follow the document containing such data, having in mind the obligations of the GDPR. “A lot of companies have decided to start a digitalisation process, with a service provider, in order to go towards less paper and to organise their electronic documents database,” adds Audrey Rustichelli.