What lies under the surface of the GDPR obligation?

What lies under the surface of the GDPR obligation?
When the law on personal data protection entered into force a few years ago, it attracted only
fleeting attention. Its implementation was often limited to a few formal steps, and the companies
began to evade just the most obvious violations of it. But with GDPR, the situation is changing.

Belief in the status quo and dead investments
No one likes to invest hard-earned money into something that won’t lead to a business
improvement, that can’t make any more money and doesn’t work competitively. Regulatory burden
often fits exactly into this frame and the first idea behind implementing GDPR is often finding the
way for it all to work so as to have the best of both worlds.
GDPR implementation often gets stuck already at this point. The creators of GDPR counted with this,
and so changed the status quo – the supervisory authority does not have to prove violations of the
law in a complicated way.   The company itself must demonstrate compliance with the regulation,
and the GDPR itself contains obligations that serve as a guide.

What is the management afraid of
Very often we hear what threats the GDPR represents. The potential penalties of up to 4 % of global
turnover sound scary, but few believe that it could go so far. Far greater pain is investing in the
implementation itself. And right after it is the complexity of implementation. In a strictly
fundamental concept, it tends to swallow up any resources of the company – not just financial, but
also the implementation teams, business administrators, etc. And that sounds like a very bad news to
any management.

GDPR as a business opportunity
GDPR is working with data. With data, which in the digital world represent the foundation of many
companies’ business. Most companies try to systematically collect data, and look for ways to improve
their business and their success on the market with their help. Data represent a direct competitive
Therefore, to actually make use of them, they have to be controlled – become a data-driven
company. GDPR is indirectly actually trying to achieve something similar, only with the difference
that the goal is to ensure the protection of the rights and freedoms of the personal data owner. Or
citizens, customers, business partners…

Since only a very few companies are truly “data-driven”, these two activities can be effectively
combined. Although GDPR represents a purely regulatory requirements, it can effectively contribute
to improving your own business. Transform the burden into a benefit, and the dead investment into
a direct business investment.

Implementation project as a never-ending process
Most work is always at the beginning. But don’t believe that’s the end of it. Every change in the
processing of personal data in the future must follow GDPR. So how does a process like this look?

Quick scan – very quickly we find the processing status of personal data in your organization. Typical
areas it is appropriate to focus on are:
Human Resources
Risky processing
Transfer of personal data to processors

GAP analysis – defining the difference between the actual state (AS-IS) and the desired state (to-be).

Identification of impacts – finding out what each of the implementation requirements represent,
who must be involved in their realization, and we prioritize.

Solution proposal – describing the design of the solution. For example, the basis for processing the
register of personal data is created in this phase.

Actual implementation – setting organizational, technical and other measures. During this phase,
even the Solution proposal is further complemented in justified cases.
Virtually identical procedure applies in the case of future changes, the introduction of new
processing of personal data, etc. It sounds quite easy, but there are a few traps in the way.

GDPR as a trap during implementation
Every project has its challenges, and the greatest pitfall of GDPR projects is the extensive scale.
Especially in large companies, which own hundreds of information systems with which thousands of
end users work, may find that the complexity is beyond their power.

In this way, huge projects can be very easily planned, being so costly and time consuming that their
completion seems impracticable. Important competence in implementation is the ability to simplify,
prioritize risks, not getting drawn into too much detail on the one hand, and not betraying the basic
principles of GDPR on the other.

That’s a nice wording, but where’s the right level of detail? And that is the problem. In every business
elsewhere, taking into account its situation and the range of processed data, which the project must
always reflect very sensitively.

The other major trap is “the legitimate interest of the administrator”. This requires a more detailed
explanation. Any personal information must be processed for legitimately defined and explicit
purposes. GDPR specifies the legal titles, which solely ensure the legitimacy of the process. And one
of these titles is “the legitimate interest of the administrator”, more specifically that: “processing is
necessary for the purposes of the legitimate interests of the relevant administrator or a third party,
except where prior to these interests have priority the interests or fundamental rights and freedoms
of the data subject which requires protection of personal data, in particular if the data subject is a
What is often overlooked during implementation is the part: “except where prior to these interests
have priority the interests or fundamental rights and freedoms of the data subject”. Therefore, if you
build the processing of personal data on this title, you must be able to demonstrate very well why
your interest is actually legitimate, but most importantly, that there is not the aforementioned
priority over the interests and fundamental rights. For this, balance tests must be created in a way
that ensures their retrospective proof documentation.
Overuse of the title itself indicates that the specific implementation of GDPR is too risk-driven and
may not ensure adequate fulfilling of the regulation, i.e. it can actually expose the company to the
risk of legal actions and intervention by the supervisory authority.
And these are just the worst traps.

Keys to success

Processing of personal data register
Quality register of personal data processing. Without it, you cannot successfully implement GDPR.

Preference of reliable legal titles
Maximum effort to rely on legal titles of processing that provide high assurance, i.e. are based on the
performance of a legal obligation or performance of a contract.
Minimize the amount of actually required processing consents, do not create any extra. The same
applies to the legal titles “the legitimate interest of the administrator”.

Minimization of processed data

Minimize the amount of processed personal data – in particular those which include risky processing
or it’s difficult to prove the legitimacy of their processing, if it is not a business critical processing.

Project flexibility
Not to be afraid in any analytical phase to change the level of detail while maintaining the basic
principles listed in GDPR. Without it, there is a risk of reaching a deadlock.

Being responsive towards the personal data subject
Set the corporate treatment of the objections of personal data subjects into the most responsive
mode. Better to immediately stop processing the personal data of a specific subject, than trying to
persuade the subject that you’re right.

And most importantly: at the beginning of the project, analyse the basic GDPR principles really well in
the area of data collection, their management, working with consents, disclosure of data to third
parties, security and minimization of the data and governance requirements.  Then start the project
and validate it regularly to ensure that you are still in line with these principles. Only this will ensure
that the investment to the project will actually be used appropriately, and prevent getting lost in
blind alleys, to which each implementation offers many opportunities.

Petr Šnajdr, GDPR consultant
Ness Technologies