Preparing for the impact of the GDPR

Preparing for the impact of the GDPR

After four years of negotiations and following the decisive agreement reached at the end of 2015 under the Luxembourg Presidency of the EU, the new General Data Protection Regulation (GDPR) was formally adopted by the European Parliament on 14 April. The provisions of the new regulation, which aim to “give citizens back control over their personal data while simplifying the regulatory environment for businesses,” will be directly applicable in all EU Member States as of 25 May 2018. Tine A. Larsen, Chair of the National Commission for Data Protection (CNPD), shares her analysis of the GDPR’s impact on businesses and provides an update on the state of personal data protection in Luxembourg.

What are the CNPD’s responsibilities?

“The CNPD’s current responsibilities include monitoring and verifying the legality of the collection and use of data subject to processing. The National Commission also examines processing activities that require authorization to ensure transparency.”

“The CNPD is also responsible for ensuring respect for individuals’ fundamental rights and freedoms, particularly their privacy and personal data, as well as informing the public about their rights and potential risks. The Commission is empowered to receive and investigate complaints and requests for verification of the legality of data processing. Its mission also extends to ensuring privacy in the electronic communications sector. Finally, it also advises the government on these matters.”

What role will the CNPD play under the new European regulation?

“The new European regulation strengthens the CNPD’s supervisory role and favors ex-post rather than ex-ante control. It also allows the CNPD to impose administrative fines that must be effective, proportionate, and dissuasive.”

“The National Commission will also cooperate more closely with other European supervisory authorities, notably through the One-Stop-Shop mechanism and consistency procedures. To coordinate actions between these authorities and avoid discrepancies in application across the EU, the regulation provides for the creation of a European Data Protection Board, on which a member of the CNPD will sit.”

“During the transition to the new regulation, the CNPD will issue guidelines to facilitate compliance efforts by data controllers and processors.”

What benefits will citizens and consumers gain?

“This new regulation clearly places the protection of citizens and consumers at the center of all actors involved in data protection. It introduces a transparency obligation requiring companies to use clear and easily understandable language in all communications with individuals.”

“The conditions for obtaining consent are also clarified, particularly for children and adolescents. Individuals also gain new rights, such as the right to erasure (right to be forgotten) and data portability, allowing them to better control the use of their personal data.”

“To exercise these rights, individuals are invited to contact the supervisory authority in their country of residence or workplace. In Luxembourg, this authority is the CNPD.”

What consequences will companies face, in terms of both constraints and opportunities?

“First of all, the European regulation does not only affect companies but also their entire chain of subcontractors involved in personal data processing. In general, we will see a significant reduction in notification requirements to the CNPD. The counterpart to this simplification is increased corporate responsibility, while also giving companies greater freedom in designing their data management policies. At all times, they must be able to demonstrate the relevance and adequacy of the technical and organizational measures implemented to ensure compliance with the new obligations, such as data protection by design and by default.”

Is demand for the CNPD increasing?

“Yes, authorization and information requests continue to increase every year. For example, while the CNPD received nearly 700 authorization requests in 2012, it received over 1,100 in 2015. Similarly, complaints and verification requests are steadily increasing. This is due to the growing number of cross-border complaints, as Luxembourg hosts many multinational company headquarters that process data for European customers. With the entry into force of the reform in 2018, this trend is likely to intensify, as European citizens will be able to more easily file complaints with their national data protection authority, which will then forward them to the CNPD within very short timeframes.”

Is there a real data protection culture in Luxembourg?

“We observe that both citizens and companies show increased awareness and self-responsibility regarding data protection. The steady rise in authorization requests, information requests, and complaints clearly shows that the public is taking ownership of its rights.”

How can this awareness be strengthened? What actions have been taken?

“The CNPD supports this awareness. We have launched several information and awareness campaigns and regularly participate in conferences and events such as Hack4Kids and the Information Security Days. We also collaborate with organizations such as Bee-Secure, the University of Luxembourg, and the Chamber of Employees. Finally, the CNPD will organize a conference and information sessions in October and November 2016 to raise awareness among the public and businesses about the changes brought by the reform.”

How can the right balance between security, privacy, and operability be achieved?

“Companies must implement data protection governance with formal executive commitment defining clear objectives. All staff must be involved, trained, and given performance goals in this area. In projects involving personal data processing, all stakeholders—project managers, developers, IT security teams, legal teams, product managers, and marketing—must work together to find appropriate solutions that balance security, data protection, and business objectives.”

“Keeping these three criteria in mind at all times, without neglecting any of them, allows for balanced solutions. Cost or operational constraints do not exempt companies from their obligations. I am convinced that a sensible, coherent, and lived data protection policy can provide companies with a competitive advantage.”