“Virtue is more feared than vice, because its excesses are not subject to regulation of conscience” stated Adam Smith.
Aren’t laws, after all, trying to limit any potential excesses of our conscience?
Innovation and regulation are bound to play the cat-and-mouse game. And you can easily figure who tries to catch up who.
Regulating isn’t a proactive exercise; on the contrary, it’s reactive, it’s a conscious human act that frames the – sometimes – shadowy virtues of our mind and brings two fundamental things: uniformity and compliance, by default.
The GDPR (General Data Protection Regulation) genesis isn’t different. It responded to an increasing need to set new rules for the lives in binary code that we are learning to live, sometimes the hard way. There were other laws attempting to regulate personal data and privacy before, but none of them went so far.
We were naïve. We thought the internet would become the herald of information freedom, the key to accessing the common knowledge of humanity. So it is, sort of. But it’s also a mine for harvesting citizens’ data and using it to accomplish objectives with obscure intentions, or at least ones that are not clear enough.
The GDPR, as every piece of law, has embedded procedures, but its spirit –please, allow us to use such a euphemism– and inception are based on a thorough reflection of what both freedom and privacy mean in our algorithm-driven planet.
This time we reached out to him to chat on the first anniversary of the GDPR, and to learn from his experience when working with our clients.
GDPR compliance isn’t a one-off game
“Complying with the GDPR isn’t a one-off game, but a progressive exercise,” says Fred. Indeed, it’s an upgrading process that calls for inevitable trials and errors (yes, also, sometimes).
As a reputable organisation focused on content marketing puts it: marketers –therefore businesses– “must innovate, design, and create their way into the GDPR.”
During the past 12 months, assisting different-sized businesses from varied industries has been a revealing opportunity to understand how they mingle with data privacy matters. Please, notice that we just wrote “data privacy” and not “GDPR”.
The GDPR invites businesses and individuals to think beyond the document that merely states articles and subsections. It’s about applying reverse engineering to understanding what the business approach to data management data privacy, cybersecurity and, ultimately, digital trust, is, and rethinking it.
Think of GDPR compliance as a long-term workshop where you brainstorm on how you have been capturing clients’ data and where, how you use them and with what purposes, and how you protect them. Moreover, you also want to reflect on when that information isn’t relevant anymore and must be deleted. After that, a nice prototyping exercise on how to make those processes better should follow.
At this point in the conversation, Fred recalled a Greg Pitzer’s quote that we included in a previous blog article:
It is necessary to work across the entire value chain, building communities of trust around the service, bringing together service providers, governments and regulators, employees and customers.
Tackling the GDPR core
“While the most urgent and procedural GDPR requirements are almost fully accomplished,” Fred goes, “it is time to tackle the nitty-gritty aspects of the regulation. The paperwork is done, the box in the list of the most visible GDPR compliance requirements is ticked. There is, however, the need to tackle the core.”
Our GDPR survey already unveiled that the mapping of all personal data processed was the key challenge to an important part of respondents.
That, and according to client experiences, translates into:
Determining a reasonable and lawful duration of data retention. The GDPR wants data controllers and data processors to handle personal data for no longer than the purpose for which data were processed. For instance, AML/KYC procedures require a different time consideration than an HR company handling CVs for recruitment.
Determining the right balance of information that businesses need to hold, to provide services that satisfy users or clients without being intrusive or detrimental.
Conducting regular risk assessments. This core compliance requirement isn’t only linked to cybersecurity but, if thinking more ambitiously, it’s about having a digital trust mindset embedded in the organisation aimed towards mitigating risks for individuals, and a roadmap to security already defined. This is a challenging requirement of the GDPR, in fact. To tick this box, businesses require evaluating how the existing technical measures and operations keep both processing systems and services safe and resilient.
Educating professionals at all levels. After all, data breaches are, reportedly, caused by human errors in many cases. It includes, for example, figuring out potential “leak sources” when someone keeps data manually.
John Studly, PwC Australia’s partner, said, regarding GDPR compliance: “Staying within the bounds of the law is not nearly enough.”
And our colleagues from the same office added:“With regulation playing perennial catch up to technology, it’s up to business to live by a set of data-ethics principles and maintain trust with those users whose data it is benefiting from.”
Big or small, the GDPR is behind it all
In an event held in late Autumn 2018 in our premises, Christophe Buschmann, one of Luxembourg’s CNPD commissioners, stated that the Commission will primarily support businesses in their GDPR journey, rather than taking a strict approach and search for any breach since the beginning.
“The CNPD isn’t the bad kid on the block,” reflects Fred. “But, at some point, Luxembourg’s GDPR guardian won’t have any other option but to start sanctioning. And this doesn’t go only to the large enterprises or big technology players though.”
In January 2019, the French CNIL (Commission nationale de l’informatique et des libertés) imposed a financial penalty of 50 Million euros against Google LLC, for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”
In September 2018, only 4 months after the enforcement of the GDPR (May 25 2018), the Austrian Data Protection Authority (DPA) made its first GDPR-related penal decision against a sports betting café. The administrative fine imposed was € 5,280,00. The small business used a video surveillance system that covered public streets and parking lots in front of the business entrance.
The non-extremist approach to comply with the GDPR
“Taking an extremist approach to GDPR compliance isn’t ideal” states Fred. To him, that approach equals to a limited understanding of the spirit of the law. “It isn’t about taking the regulation word-by-word. Imagine if you have valuable information in a server that, for whatever reason, you cannot transfer anywhere else but you need to keep. You will not throw the server through the window! In that case, I recommend designing a strong risk management plan, including clear actions of what to do if there is a data breach. For the future, however, new data keeping and data handling procedures have to be considered.”
To him, that’s actually taking a pragmatic approach to GDPR compliance. It’s considering the potential risks for the people concerned (users) and act accordingly.
What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg
Because financial services are more regulated, readiness to comply with the GDPR is, well, forgiving the redundancy, more ready. However, by all means, the game isn’t over. Indeed, the GDPR compliance journey has just started and we’re learning with it. We, all businesses, are rethinking our approach to data management, to privacy and to digital trust. I invite you to consider the GDPR as an opportunity.
