Skip Ribbon Commands
Skip to main content

One Year with GDPR – Continuous Compliance is still a Challenge

A year ago, the EU General Data Protection Regulation (GDPR) was enforced for all businesses, government, and public institutions either handling or coming into contact with European Union residents' personal data. It is needless to say that the GDPR had a dramatic effect on the way that organizations were going to deal with the data of customers, employees, and others. The enforcement of GDPR meant that the organization was forced to (re-)think their data management approaches to stay compliant and thereby avoid new fines and bad publicity.

Organizations of all sizes used a massive amount of effort to document processes and data, build governance programs, and ensure their compliance by May 25, 2018. A report from Dansk Erhverv states that Danish companies spent approx. DKK 8 billion on the GDPR, from hiring people or consultants to implementing new and necessary technology measures. However, it is also worth mentioning that working with personal data as a discipline was an immature process for many organizations, which is why most of them did just enough to become compliant by carrying out process mapping, creating procedures, and implementing awareness programs.

The First GDPR Penalty Fine in Denmark

In March 2019, the first penalty fine under GDPR was issued by the police on behalf of The Danish Data Protection Agency (DPA). A taxi company was reported for the violation of the GDPR, for not deleting information when it was no longer necessary for the purpose it was collected for and was fined DKK 1.2 million. There are two main points to be taken notice of: Firstly, whether the taxi company had retention and deletion policies in place, and secondly, did the company comply with the policies internally. Even though the company had procedures for deletion and anonymization, it was not implemented technically good enough and there was severe criticism from the DPA regarding the lack of data anonymization, minimization, and legal basis for processing data. That issue might be due to either procedural mistakes and/or technical limitations. Unfortunately, this scenario may not only be applicable for the taxi company, but also many other companies can be in a similar position, which is why the DPA has announced its increased focus and supervision on the rights of data subjects and the reuse of data in organizations in 2019.

Continuous Compliance is still a Challenge

Since May 2018, more than 4,000 data breaches have been reported to the DPA and more than 5,500 incidents regarding Data Subject Rights ( Interestingly, most of the data breach incidents have been due to 'human error' in case of wrong entries, lack of anonymization, copy/paste error, etc. That raises the question of whether the organizations have done enough to educate employees in personal data handling. The common training approach before the enforcement of the GDPR in May 2018 was to accomplish different types of basic awareness training, internal procedures updates, and communication plans often delivered with some gimmick (e.g. privacy screens, webcam filter etc.). However, the organizations need to ensure that the employees are reminded and tested regularly in the data privacy discipline and, furthermore, to ensure to share the benefits of staying in compliance and instill it into the culture.

The GDPR Journey goes on

The maturity of the GDPR journey can be divided into four steps: Diagnosis, Business Processes & IT Controls, Communication & Training, and Organizational Anchoring. The first three steps can be argued to be accomplished by organizations, but the fourth step, Organizational Anchoring, needs time to be implemented and must be anchored in the organization's culture, which leads to the Personal Awareness Journey. 

The Personal Awareness Journey goes from general Awareness to Ownership, where it can be fair to say that most employees are still around step 3 and has not fully changed behavior (Accepted) or taken Ownership of the changes. This probably requires some reintroduction of the GDPR and informing of what benefits the organization has gained and plans for further advancement. One success criterion for true ownership could be to measure the number of improvement ideas both internally and customer facing.

(Re)-think Digital GDPR Compliance in your Business Processes

Due to multiple regulatory requirements, the compliance work is still handled manually or includes heavy paperwork. However, grounded on prior challenges, it can be 'fruitful' to think of technology to avoid and minimize human errors. One use case could be the use of chatbots, which are normally utilized for simple queries. Chatbots are becoming very common in different settings and they have also been used as GDPR lexicons for employees by answering questions with pre-defined answers. The next step would be to integrate the chatbots into the IT infrastructure, and by enhancing with Natural Language Processing (NLP) and coupled with Robot Process Automation (RPA), they can handle more complex and time-consuming tasks, e.g. requests from Data Subjects. Another use case in digital GDPR compliance could be the use of Optical Character Recognition (OCR) coupled with RPA for transforming paper-based documentation to digital automatic document processing and archiving. The above could help the organization remove both trivial and complex time-consuming tasks from employees and thereby reduce the human error factor. In that way, freeing up time for more value-adding assignments and continuous improvement activities.


When considering Digital GDPR compliance:


  • Explorative development: Start simple but with a bigger vision – A well-defined Proof-of-Concept (PoC) or Minimal Viable Product (MVP) would be ideal to test complexity and organizational adaptability, especially when introducing new technologies
  • Onboard employees: Remove uncertainty by welcoming and involving employees. New technology advancement could create anxiety and insecurity; therefore, involvement and empowerment would generate better meaning and anchoring
  • Continuous training: Make sure to train and retrain employees and communicate the benefits and common achievements to them. Nevertheless, ensure to have the retraining as part of the annual compliance wheel and ensure to document it for inspection purposes. 


Remember no technology is bulletproof and needs to be adjusted to the individual organization. Nonetheless, it also needs to be handled in the right manner through proper governance. See more on how to overcome the regulatory demands with digital innovation in the following article Regulatory Compliance vs. Digital Innovation: A challenge or a perfect match?


About the author

Mobeen Arif has more than 10 years of experience in digital transformation. He has worked with IT and business transformation across many industries such as finance, enterprise, and public sector. He advises clients on value creation through digital transformation.

Want to learn more?

Do you want to learn more about NNIT's Regulatory Compliance Solutions or share any thoughts about this topic? Please feel free to contact Mobeen Arif, Managing Consultant in NNIT on




Mobeen ArifZMAR@nnit.comManaging ConsultantMobeen Arif



Infosecurity 2020 2020
Are you prepared to protect your business-critical IT? you prepared to protect your business-critical IT?
Are you prepared to protect your business-critical IT? you prepared to protect your business-critical IT?
Protect your gold: How to avoid your data ending up in the wrong hands your gold: How to avoid your data ending up in the wrong hands
How scammers attack your company using CEO fraud scammers attack your company using CEO fraud
VR Cybersecurity Training Cybersecurity Training
Cloud Security Security
Identity & Access Management & Access Management
Managed Security Security