General Data Protection Regulation: GDPR challenges for companies

The General Data Protection Regulation (GDPR) aims to give citizens greater control over the data that administrations and companies have about them. The legislation poses several challenges that companies have never faced before.

Esade's Conflict Management Research Group, in collaboration with ARAG, brought together experts to discuss the risks that this regulation poses for companies and the best way to deal with them.

Companies have had two years to adapt to the GDPR but many did not do their homework until the last moment, says Esade Assistant Professor Antonio Delgado. Although the previous law already envisaged most of the rights included in the GDPR – either explicitly or by interpretation, as in the case of the right to be forgotten – the legislation introduces four features that companies cannot ignore:

1. Data portability
2. Data protection officer
3. Organisational challenge
4. Mindset change

1. Data portability

Data portability is the user's right to request the data that a company has about him or her or to have that information transferred to another company. This affects data provided by the customer, such as an email address, but also observed data, such as the customer's purchase history on a particular website.

Companies are obliged to supply these data in a usable format. "Portability is part of the right to access, but it is a challenge at the level of format and management," says Robert Madge, CEO of the Swiss company Xifrat Daten AG. "It will be very difficult to do this if it is not done in an automated way."

The GDPR implies a change of mindset for companies

2. Data protection officer

The regulation includes the figure of the data protection officer (DPO) and makes it mandatory for certain institutions, including public administrations, companies whose activity requires continuous and systematic observation of these data, and organisations that carry out large-scale processing of sensitive information, such as health, biometric or genetic data.

The DPO, who is responsible for advising and supervising the various departments that manage personal data, also acts as the company's liaison with the Spanish Agency for Data Protection and with interested parties.

"Even if a company is not obliged to have a data protection officer, that doesn't mean that it is not advisable to have one. It is convenient to have a figure who carries out these functions, even in the form of a specialised consultant," says María Belén Pose, Director of the Corporate Legal Consultancy Division at ARAG.

3. Organisational challenge

As the Data Protection Officer at CaixaBank, Pablo Díaz reflects on the impact of the GDPR on an large organisation: "We went from a classical way of evaluating data protection aspects – which focused on legal analysis – to a methodology based on global risk analysis."

Díaz explains that CaixaBank has addressed this organisational challenge in its parent company as well as in the various companies that make up the group. The GDPR presents "a fantastic opportunity to gain customers' trust," he says.

4. Mindset change

The GDPR implies a change of mindset for companies, which are no longer the owners of their clients' personal data. Instead, Madge warns, companies need to treat such information as borrowed data.

This willingness to give citizens control over their data is also reflected in the size of the penalties envisaged by the GDPR. "The highest fines in the regulation have to do with everything that is directly related to the user," says Madge. "Security issues have lower fines."

In short, the success or failure of personal data management will depend on two factors, according to Pose: first, customers' degree of trust and what they authorise companies to do with their data, and second, the efficiency with which companies are able to use data.