“Virtue is more feared than vice, because its excesses are not subject to regulation of conscience” stated Adam Smith.
Aren’t laws, after all, trying to limit any potential excesses of our conscience?
Innovation and regulation are bound to play the cat-and-mouse game. And you can easily figure who tries to catch up who.
Regulating isn’t a proactive exercise; on the contrary, it’s reactive, it’s a conscious human act that frames the – sometimes – shadowy virtues of our mind and brings two fundamental things: uniformity and compliance, by default.
The GDPR (General Data Protection Regulation) genesis isn’t different. It responded to an increasing need to set new rules for the lives in binary code that we are learning to live, sometimes the hard way. There were other laws attempting to regulate personal data and privacy before, but none of them went so far.
We were naïve. We thought the internet would become the herald of information freedom, the key to accessing the common knowledge of humanity. So it is, sort of. But it’s also a mine for harvesting citizens’ data and using it to accomplish objectives with obscure intentions, or at least ones that are not clear enough.
The GDPR, as every piece of law, has embedded procedures, but its spirit –please, allow us to use such a euphemism– and inception are based on a thorough reflection of what both freedom and privacy mean in our algorithm-driven planet.
This time we reached out to him to chat on the first anniversary of the GDPR, and to learn from his experience when working with our clients.
GDPR compliance isn’t a one-off game
“Complying with the GDPR isn’t a one-off game, but a progressive exercise,” says Fred. Indeed, it’s an upgrading process that calls for inevitable trials and errors (yes, also, sometimes).
As a reputable organisation focused on content marketing puts it: marketers –therefore businesses– “must innovate, design, and create their way into the GDPR.”
During the past 12 months, assisting different-sized businesses from varied industries has been a revealing opportunity to understand how they mingle with data privacy matters. Please, notice that we just wrote “data privacy” and not “GDPR”.
The GDPR invites businesses and individuals to think beyond the document that merely states articles and subsections. It’s about applying reverse engineering to understanding what the business approach to data management data privacy, cybersecurity and, ultimately, digital trust, is, and rethinking it.
Think of GDPR compliance as a long-term workshop where you brainstorm on how you have been capturing clients’ data and where, how you use them and with what purposes, and how you protect them. Moreover, you also want to reflect on when that information isn’t relevant anymore and must be deleted. After that, a nice prototyping exercise on how to make those processes better should follow.
At this point in the conversation, Fred recalled a Greg Pitzer’s quote that we included in a previous blog article:
It is necessary to work across the entire value chain, building communities of trust around the service, bringing together service providers, governments and regulators, employees and customers.
Tackling the GDPR core
“While the most urgent and procedural GDPR requirements are almost fully accomplished,” Fred goes, “it is time to tackle the nitty-gritty aspects of the regulation. The paperwork is done, the box in the list of the most visible GDPR compliance requirements is ticked. There is, however, the need to tackle the core.”
Our GDPR survey already unveiled that the mapping of all personal data processed was the key challenge to an important part of respondents.
That, and according to client experiences, translates into:
Determining a reasonable and lawful duration of data retention. The GDPR wants data controllers and data processors to handle personal data for no longer than the purpose for which data were processed. For instance, AML/KYC procedures require a different time consideration than an HR company handling CVs for recruitment.
Determining the right balance of information that businesses need to hold, to provide services that satisfy users or clients without being intrusive or detrimental.
Conducting regular risk assessments. This core compliance requirement isn’t only linked to cybersecurity but, if thinking more ambitiously, it’s about having a digital trust mindset embedded in the organisation aimed towards mitigating risks for individuals, and a roadmap to security already defined. This is a challenging requirement of the GDPR, in fact. To tick this box, businesses require evaluating how the existing technical measures and operations keep both processing systems and services safe and resilient.
Educating professionals at all levels. After all, data breaches are, reportedly, caused by human errors in many cases. It includes, for example, figuring out potential “leak sources” when someone keeps data manually.
John Studly, PwC Australia’s partner, said, regarding GDPR compliance: “Staying within the bounds of the law is not nearly enough.”
And our colleagues from the same office added:“With regulation playing perennial catch up to technology, it’s up to business to live by a set of data-ethics principles and maintain trust with those users whose data it is benefiting from.”
Big or small, the GDPR is behind it all
In an event held in late Autumn 2018 in our premises, Christophe Buschmann, one of Luxembourg’s CNPD commissioners, stated that the Commission will primarily support businesses in their GDPR journey, rather than taking a strict approach and search for any breach since the beginning.
“The CNPD isn’t the bad kid on the block,” reflects Fred. “But, at some point, Luxembourg’s GDPR guardian won’t have any other option but to start sanctioning. And this doesn’t go only to the large enterprises or big technology players though.”
In January 2019, the French CNIL (Commission nationale de l’informatique et des libertés) imposed a financial penalty of 50 Million euros against Google LLC, for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”
In September 2018, only 4 months after the enforcement of the GDPR (May 25 2018), the Austrian Data Protection Authority (DPA) made its first GDPR-related penal decision against a sports betting café. The administrative fine imposed was € 5,280,00. The small business used a video surveillance system that covered public streets and parking lots in front of the business entrance.
The non-extremist approach to comply with the GDPR
“Taking an extremist approach to GDPR compliance isn’t ideal” states Fred. To him, that approach equals to a limited understanding of the spirit of the law. “It isn’t about taking the regulation word-by-word. Imagine if you have valuable information in a server that, for whatever reason, you cannot transfer anywhere else but you need to keep. You will not throw the server through the window! In that case, I recommend designing a strong risk management plan, including clear actions of what to do if there is a data breach. For the future, however, new data keeping and data handling procedures have to be considered.”
To him, that’s actually taking a pragmatic approach to GDPR compliance. It’s considering the potential risks for the people concerned (users) and act accordingly.
What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg
Because financial services are more regulated, readiness to comply with the GDPR is, well, forgiving the redundancy, more ready. However, by all means, the game isn’t over. Indeed, the GDPR compliance journey has just started and we’re learning with it. We, all businesses, are rethinking our approach to data management, to privacy and to digital trust. I invite you to consider the GDPR as an opportunity.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Durée
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
