Around 60% of the 56 companies who participated in the survey called “The Impact of the New Data Protection Regulations” conducted by PwC Romania stated that the implementation of the requirements of the General Data Protection Regulation (GDPR) was ongoing right after it entered into force, on May 25.
The PwC Romania report’s purpose was to measure the implementation level of the GDPR requirements among the Romanian companies.
The document shows that 12% of the companies who participated in the survey stated that they have completed the implementation of the Regulation’s requirements by the date of its entry into force. Most of them (57%) have up to 200 employees and operate in the pharmaceutical, financial, automotive and energy fields.
The companies appreciate that the departments that are most affected by the implementation of the Regulation are the Human Resources Department (25%) and Customer Relationship Department (25%). The following department in this ranking is the IT Department (21%), while the Sales Department is ranked the third (18%).Other mentioned departments, in small percentages, are the Financial Department, as well as the Marketing, Legal and Risk Departments.
“The entry into force of the Regulation caused a change of paradigm in the management of databases. We have noticed that certain fields of activity which are accustomed to the regulations that are specific to the information security (for instance the financial and telecommunication fields) have gone easier through the evaluation process of the impact of GDPR and started earlier to implement its requirements. It is extremely important to mention that the compliance process was not completed with the entry into force of the Regulation. A fair and complete analysis must be made on the internal processes and of the manner by which the information that was considered customary until recently is accessed or processed by a company”, stated Manuela Guia, Partner and Leader of the Legal Compliance and Data Protection Services Team, D&B David si Baias.
The participants in the survey stated that the most common measures to implement the Regulation consist of adopting a data protection internal strategy or procedure (19%), or revising and adapting the internal procedures as a whole, in order to comply with the GDPR (19%). These solutions are preferred particularly by the companies operating in the financial services, retail and industrial production fields. Other mentioned measures include the improvement of the IT systems’ security (16%), the assessment of the contractual partners to which personal data is transferred (14%), the internal appointment of a person in charge with data protection (14%), the implementation of specific technologies (8%), the implementation of structural changes inside the organization and the appointment of a person in charge with the protection of the data sent outside the company (5%).
As for the compliance with the Regulation’s requirements, 32% of the companies stated they are using or they intend to use automatic solutions in order to search and find personal data within the company. The same percentage of companies are using automatic solutions to detect and monitor the incidents and events with an impact on the personal data security. The list of the technologies used is completed by automatic solutions to detect and prevent the loss of personal data (28%). The companies operating in financial services, automotive, energy and pharmaceutical fields stated they use such technologies most often.
“Our analysis shows that more and more companies appreciate that not only complying with the Regulation is important, but also strengthening, on this occasion, the protection of their own data against any possible cyberattack. However, the existence of a technology and its installation doesn’t always provide the necessary protection. It is necessary to build a system which integrates procedures and technologies that must work together in order to make the compliance process to be efficient. Of all these, the most important and at the same time the most easy to be defrauded is the user, the human resource. Continuous training and testing of the user for different scenarios is the most important issue related to a cyber security strategy. Even the most advanced prevention technology is totally inefficient when it is used by a human factor which is untrained or uninformed about the possible cyberattacks”, stated Mircea Bozga, Partner and Leader of the Risk Assurance Department of PwC Romania.