Organizational resilience, a huge challenge in implementing GDPR, says Deloitte

The supervisory and control authorities in the field of personal data from the vast majority of Central European countries seem to concentrate on explaining the provisions of the GDPR and the main challenges related to its observance without applying fines so far, according to Deloitte Legal study, “The GDPR – 6 months after implementation”.

“Deloitte Legal conducted an analysis exercise on the application of the General Data Protection Regulation (GDPR) in ten Central and Eastern European countries, resulting in a comprehensive material on the legal framework and market and authority preparation. Being the first study in the region, the document provides an overview of the GDPR impact on several key coordinates, such as: the main challenges with regards to the application of GDPR, best practices, the relationship with supervisory and control authorities, sectorial initiatives or activities subject to data protection impact assessment obligations. The players in Romania thus have the opportunity to understand the dynamics and developments of the sector compared to the states in the region. One of the most relevant conclusions of the document is that until now the corresponding authority of each country has focused on compliance guidance, avoiding controls and fines. However, unlike the vast majority of other states, Romania has not developed enough guidelines for companies,” says Georgiana Singurel, Partner with Reff and Associates, corresponding firm of Deloitte Legal in Romania.

One of the main challenges for Romania is the insufficient involvement of the supervisory authority in the companies’ activity, due to insufficient recommendations or due to public interpretations issued with regards to the application of GDPR.

One of the common practices was the tendency to draft information notes, policies or other internal documents on sophisticated and highly personalized data protection, in the absence of guidelines. At the same time, as in other states, there is an excessive use of consent as legal ground for processing.

Organizational resilience has also represented a huge challenge in implementing GDPR, but ultimately understanding the business needs of companies and receiving personalized training on data confidentiality have been of great help in reducing this resistance.

Another challenge was balancing and adapting the business needs of companies and their past practices on data confidentiality with the GDPR requirements, without interrupting their business.

The countries included in the study are Romania, Bulgaria, Lithuania, Latvia, the Czech Republic, Slovakia, Hungary, Poland, Croatia and Slovenia.