GDPR in Luxembourg: the continuous search for the pot of gold

Be honest. We promise not to judge. You’re a company established in Luxembourg. How much of your GDPR action plans have gone from paper into practice? Are you 100% aware of what happens to all your clients’ data in all the areas of your business? Have you been able to identify the main risk factors for the data subjects when it comes to personal data?

Whatever the answer, don’t disclose it (and don’t panic). Close your eyes and take a deep breath. Imagine yourself as a mischievous, smiling and smartly-dressed leprechaun looking for a rainbow and a pot full of gold. After searching for a while, you finally find it, and its name is full GDPR compliance.

All leprechauns, no matter if they’re on foot or driving a wee race car in search of the rainbow, have to analyse their processes and revise their privacy policies and/or introduce new ones. Six months later, how far are you on your search for the pot of gold?

An optimist sees the opportunity in every difficulty… more or less

Winston Churchill said “A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty”.  The GDPR survey 2018 launched last December reveals that companies share a pattern. They are overly optimistic when walking the GDPR path.

In fact, our survey aimed to understand Luxembourg’s market reaction to the first six months of the application of the GDPR. The findings were… undeniably interesting and even puzzling.

Most Luxembourg companies, led by those in the financial sector in terms of maturity, consider themselves the successful leprechaun, sitting on the GDPR compliance pot of gold. Nearly 50% of survey respondents state they have implemented most of the regulation requirements, focusing on Data Privacy. A little over 40% of respondents are still climbing up and over the rainbow, with the pot of gold nearly in sight. They acknowledge that the GDPR is in their action plan, and have started implementing certain requirements. Yet, they still have to focus on important measures to implement.

The remaining 10% are still at the very beginning of their journey (at the beginning of the rainbow). These respondents state they have other priorities, but have already started implementing their GDPR compliance project.

GDPR in Luxembourg: the continuous search for the pot of gold

As you can see,  94% of the companies that answered our survey seem to be convinced they’re near the end of the rainbow, excelling in all the challenges.

Don’t get us wrong, being motivated and keeping a positive attitude is great but, we also need to see things as they are. The journey to the pot of gold is neither easy nor problem-free. There are milestones that need to be reached no matter the difficulty.

But what if small areas of the rainbow path are less visible than the rest?

Seeing the rainbow for what it is: a long and challenging road but colourful too

When looking at the survey results, we see clear links but also contrasts between GDPR-compliance self-assessment exercises and the actual performance of risk assessments. This applies to both, the assessment of data, assessing the risks for data subjects and the data processing activities themselves.

There’s a clear link between the level of GDPR-readiness and the identification of the main risk factors for the data subjects. Almost 50% of survey respondents indicate that they have identified and dealt with the risks. The other 40% indicate they have identified the risks but most haven’t solved them yet. Roughly, 15% of respondents have yet to identify the risk factors. For these leprechauns, the end of the road is harder to see because mid-colours are barely visible.

GDPR in Luxembourg: the continuous search for the pot of gold

Another solid connection with the level of GDPR-readiness is the risk level analysis of individual personal data processing activities. The latter is done using a Data Protection Impact Assessment (DPIA), the basis for any GDPR project.

To put it simply, if you concluded that data processing is likely to result in a high risk to the rights and freedom of data subjects, you must carry out a DPIA for each processing operation. They’re very useful when you’re introducing new data processing systems or technologies.

According to our survey, 90% of respondents started their journey without a hitch. They have identified the risks for the data subjects.

Somehow, here is where we start realising the difference between the first, optimistic statements from the leprechauns that reported having reached the pot of gold and the measures they took during their rainbow GDPR journey. 60% of respondents state they haven’t conducted a DPIA assessment and the other 10% highlighted they haven’t done an assessment and don’t plan to either. This suggests that their compliance with the GDPR isn’t a priority.

GDPR in Luxembourg: the continuous search for the pot of gold
Were you hacked or not hacked? That is the question

Consider this quote by Cisco’s CEO John Chambers: “There are two types of companies: those that have been hacked and those who don’t know they have been hacked. “

Now, remember one of the seven core principles of the GDPR: “Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

When asked if the their journey to GDPR compliance  has procedures to manage personal-data breaches, nearly a third of respondents said they would be dealing with this event “on-the-go”, as they don’t have any measures against them in place nor have they identified the team that will deal with these incidents. When it comes to 80% of financial services, respondents declared the are very much prepared to respond to data breaches, having all the necessary procedures in place. Again, the sector shows better readiness, likely linked to a culture of compliance already embedded.

Less than 30% of companies admit having faced a data breach, while only 5% make John Chambers’ opinion very relevant. Indeed, they don’t know if they suffered a breach or not.

GDPR in Luxembourg: the continuous search for the pot of gold

Is there not a paradox that two thirds of the respondents declare to be confident about not having faced personal data breaches if they also stated they don’t have any solid security procedures? Less than 30% of companies admit having faced a personal data breach.  while only 5% say they don’t know if they have suffered a breach or not.

Over optimistic views? What do they suggest?

While it’s refreshing to see optimistic opinions about GDPR compliance, the graphics above demonstrate a reality that  isn’t precisely as survey respondents see it. The pot of gold at the end of the GDPR rainbow is more readily achieved if they follow each step. Companies are so focused in getting to the end quickly that they jump important steps, leaving them exposed to risk. Rushing is not the good approach.

To successfully complete this challenging journey to the end of the rainbow, companies might want to focus more on the journey and not just on the pot of gold. True richness comes from fulfilling a path, gaining experience and learn how to avoid unnecessary risks.

What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg

Companies need to remember that GDPR is the beginning of a journey, only one aspect to data privacy and protection strategy. Overall, the survey results suggest a feeling of confidence shared among most companies in Luxembourg. However, there are some setbacks. The biggest challenge, no matter the industry, is mapping personal data but also fully implementing GDPR requirements. While most of the documentation is in order, on the practical aspect the remaining tasks are time-consuming and expensive. They are also the ones that will ultimately change a business’ culture.

Leave a Reply

Your email address will not be published. Required fields are marked *