GDPR Challenge for Small and Medium Enterprises
Complying with the General Data Protection Regulation (GDPR) has proven to be challenging for some organizations. This is especially true for Small and Medium Enterprises (SMEs) with limited resources. To achieve compliance, organizations need to allocate substantial resources for conducting data inventories, data flow audits, risk assessments, and compliance gap analyses. They also need to develop and implement operational policies, procedures, and processes for new workflows. In addition, personal data security through technical measures, individual training on GDPR policies and workflows, and GDPR compliance audits need to be done on an ongoing basis. While GDPR became enforceable on May 25, 2018, SMEs are still encountering workflow-related challenges.
The novel COVID-19 global outbreak has come with its own set of challenges. A mandatory work-from-home policy has prompted the rapid transition to a remote working model to which employees are trying to adapt. Meanwhile, the uncertainty that surrounds the COVID-19 pandemic has caused increased stress and anxiety for employees, and the scope of work for many departments has expanded in order to support a work-from-home model. These challenges are negatively impacting efficiency and productivity, further taxing resources, and hindering the ability for SMEs to respond to GDPR requests and conduct scheduled GDPR compliance audits. This is all transpiring with the California Consumer Privacy Act (CCPA) enforcement date looming.
Many organizations were not fully prepared to move all employees to remote work on such short notice. Employees are finding that they do not have the technology needed to conduct their work efficiently, nor do not have proper access to databases and systems. This hinders employee productivity. Furthermore, the lack of access presents challenges in responding to GDPR requests and conducting already-scheduled GDPR compliance audits.
GDPR Workflows Need to Be Adapted
Even with the proper technology and access, employees are encountering challenges. Like other organizational workflows, GDPR workflows need to be adapted for remote working. Many employees are finding that they need to include additional steps in their workflows in order to achieve the same results as in an office environment. In addition, some employees find working from home unproductive and distracting. The need to homeschool children has added to this sentiment. The stress and uncertainty people are feeling about COVID-19 is further hindering efficiency and affecting productivity. This can potentially increase the backlogs of GDPR requests.
The scope of work and workloads for many departments, including IT, Information Security, and compliance has expanded due to COVID-19. The work of IT departments has expanded extensively to now include troubleshooting home WiFi connections, ordering additional hardware for use in employee homes, evaluating and purchasing additional technology to increase efficiency and communications across the organization (e.g. technology for virtual meetings at larger scales than previously needed), etc. Security departments, many of which are made up of only a small number of people, are working to manage the surging number of cyber threats designed to exploit the chaos surrounding COVID-19. Compliance teams are working on reviewing and updating policies and procedures (e.g. telecommuting policies and business continuity plans) and keep up an ongoing effort to remind employees about health and medical policies (e.g. what can and cannot be asked of employees). In SMEs, these departments are generally responsible for managing GDPR requests and audits.
CCPA is Coming
In addition to GDPR challenges, the date for CCPA enforcement is swiftly approaching. Prior to the COVID-19 outbreak, organizations were allocating already-stretched resources to prepare for the July 1, 2020 enforcement date. While theoretically, organizations should have been in compliance with CCPA on January 1, 2020, they are facing challenges similar to those faced with GDPR. Many organizations are questioning whether they will be able to meet the deadline, prompting requests for the enforcement date to be pushed back. As of now, the enforcement date is not being delayed.
The challenges SMEs face when trying to obtain and maintain GDPR compliance have been further exacerbated by the unprecedented challenges posed by COVID-19. It is yet to be determined when we will see the end of COVID-19 and what backlogs and compliance statuses will look like when it’s finally resolved.