Best practice

Obstacles that companies face when implementing the GDPR

  05. 12. 2018

These are challenges that can’t be solved overnight, as business processes have to be adapted, the necessary information solutions have to be introduced, and employees have to be educated about the importance of protecting (personal) data.

This year, the General Data Protection Regulation (GDPR) shook up the business community and has raised many questions regarding personal data security. Today, companies have to face personal data - so to speak - in all key business processes. Personal data are everywhere - in paper documents, information systems, databases, shared folders, cloud storage, and other media.

As a comprehensive overview of personal data processing meant a radical adjustment of the relevant personal data processing procedures, some companies complied only with certain aspects of the GDPR before May 25th, 2018, when the Regulation came into force. 

Don’t wait until the last minute

Although the GDPR stipulates serious penalties for violations of its provisions, the Slovenian Information Commissioner announced that, until the new Personal Data Protection Act is adopted, it will act in an advisory capacity, educating companies with a view to implementing the new rules as smoothly as possible. But, don’t be fooled. You shouldn’t wait, as the law will fully follow the GDPR, with further elaboration of certain provisions. Once the law is adopted, the Information Commissioner may impose the first penalties for personal data protection violations.

Problems which Slovenian companies still face

For Slovenian companies, many problems arising during the operational implementation of the GDPR remain unresolved. These challenges cannot be solved overnight, as they require more significant adaptation of business processes, introduction of the necessary information solutions, and educating employees about the importance of data protection.

We can emphasize the following as the primary obstacles companies currently face when implementing the GDPR:

1. Processing personal data in paper documents

Businesses still work with large volumes of paper documents that contain sensitive information and personal data, such as HR files, contracts, and so on. These documents are stored in desk drawers, unlocked file cabinets, and unprotected archives. Paper documents pose the greatest risk in terms of personal data protection, as they are susceptible to unauthorized data access, which may lead to abuse. In addition, they make it difficult to maintain an audit trail of user actions, which can have serious implications for the company.


2. Risks associated with exchanging documents containing personal data by e-mail, cloud storage, or shared folders on a network drive

Employees exchange documents via e-mail or send them via Dropbox or WeTransfer on a daily basis, and many employees keep personal data in unprotected Excel spreadsheets on shared folders. In these cases, personal data are not protected during transfer and can quickly fall victim to loss or abuse.


3. Inappropriate archiving of personal data files

Companies keep documents in various systems that don’t allow for a uniform overview of access to personal data and don’t record user access. The GDPR requirements related to recording audit trails, retention deadlines, and personal data erasures (as personal data may only be stored for as long as necessary) pose additional challenges to companies without appropriate information solutions.

 Sanja Žaubi, Data protection officer at Mikrocop