Mon 11 Dec 2017
News - Directors' Day 2017 - Data Protection and Security
Directors' Day 2017 - Data Protection and Security

Boards and new data protection rules

New EU data protection legislation is set to affect the way many companies interact with clients and suppliers. So what steps should boards take as they prepare for the advent of the General Data Protection Regulation (GDPR) from 25th May 2018? Christophe Buschmann commissioner with Luxembourg’s National Commission for Data Protection (CNPD) gave some pointers.

Adapting to GDPR will be a learning process for businesses but also regulators, suggested Mr Buschmann. Being an EU regulation (rather than a directive), this text applies across the EU without need to be transcribed into national law. The aim is to maximise practice across the Union, to facilitate the free-flow of data. But as ever, the detail is devilish and national differences will persist. GDPR is an update of 23 year-old rules, and it seeks to reinforce the rights of the individual, increases responsibility on the processors’ side, and it will lead to an increased role for data protection authorities.

Mr Buschmann laid out what he sees are elements that are key for the board. The accountability principle requires documentation and clear internal reporting lines. Also, while there are almost no required administrative procedures, the onus is on organisations to be effective in the way data is protected. Allied to this is the need for a risk-based approach, so that if a business has lower risk then they need to make fewer provisions than firms at higher risk.

“GDPR leaves a lot of flexibility for organisations to put tailor made measures in place, but this might also lead to incertitude,” he commented. Thus, this gives rise to questions about whether protection measures have been sufficient, do they meet the expectations of the regulator, and broader legal implications. Complications increase when working cross-border, as despite the aims of the regulation, national laws need to be taken into account. Again, the board needs to make sure executives are taking all necessary steps.

He said that the CNPD has increased responsibility to provide guidance, and they are keen to work with different sectors and individual firms to find solutions. There is no desire to be overly prescriptive, even though Mr Buschmann agreed that this creates a degree of uncertainty, and this would be taken into account when making assessments. The commission are also working with other national regulators to form common positions regarding cross-border data transfers.

He warned against the spread of certain myths around the new rules. For example, he hears frequently the belief that the solution to data protection is to ask consent for all processing activities. “There are many other aspects to this question: KYC rules, public interest rules, whether the processing is in the interests of the company, and more. Consent is only one part of this, and is not always the strongest tool,” he warned. Indeed having invalid or irrelevant consent forms could even make matters worse.

There are a host of other misunderstandings about GDPR. Some people believe it forbids the installation of anti-virus software, while others think it is mainly a video surveillance/IT security/legal issue, or that it hampers their AML work. Others fear the rules require in-depth audits of all suppliers and that outsourcing is to be made impracticable. All these concerns are misplaced, Mr Buschmann said.

He also sought to calm fears that the CNPD will aggressively target non-compliance. Given the lack of certainty around the rules, they understand this would not be in the general interest. That said, companies must show they are making preparations and are asking the right questions. He confirmed that fines could be levied even in the early months if firms are not seen to be taking their responsibilities seriously.
The regulator has identified four key recommendations:

  • Have an inventory of your processing activities, check the legal ground for each processing activity, and identify your company’s role as either a controller or processor
  • Integrate data privacy into the governance structure. Each firm has substantial flexibility, but rules must be made effective
  • Efforts must include all dimensions of privacy, including legal, IT and business.
  • Stay informed, as data privacy rules will evolve

Other points include: the need to be open minded about potential data risks; understand that GDPR applies to clients and employees; understand that more invasive activities may require additional steps; there are specific data transfer rules; data collected for one use might not be available for other uses; keep an eye on outsourcing partners; GDPR applies to pseudonymised data (as opposed to encrypted data).

For the latest information, keep up to date on the trilingual site.