2018 GDPR Update from the EUGDPR Institute. The confessions of a DPO
Part I excerpt.
As the year 2017 is ending, I sit here in my corner office and began reflecting on what has transpired in the world of the EU’s General Data Protection Regulation (GDPR) and the apprehensions on what the coming year 2018 will have in store for me, my colleagues, the organisation and the business.
The organisation and the industry must focus on a privacy strategy that asserts ownership on data related issues and the rights of the data subject. The GDPR is probably the most comprehensive personal data protection law ever seen, and that requires more than lip service to comply. We were fortunate to get a head start since our chairman had the vision to enforce GDPR as a privacy protection safeguard for consumers and citizens. This gave us an opportunity to revamp a long overdue facelift of the IT structure and our databases, and that was much more than just a facelift. Despite the cultural, disciplinary transparency and accountability issues consider GDPR implementation as a journey. That needs a paradigm shift in the GDPR implementation project plan that embraces the realities of the digital age that will affect all aspects of our corporate lives on cyber and IT security.
Reflections and confessions of a GDPR Data Protection Officer (Part II of III)
In the first part, I went thru what we had done to implement GDPR primarily as a planning exercise that gave us. This gave us an opportunity to revamp a long overdue facelift of the IT structure and our databases. However, it seems to me that most organisations do not take that approach. They want to continue with the current IT and data infrastructure as it is and merely implement GDPR as a compliance exercise. For our entire organisation nevertheless, staying with the continued effort to update our digitalisation, 2018 will most likely see an added emphasis on protecting digital identity and personal data in the field of international privacy.Here again, this is a result of the strategic attention data protection, and cybersecurity is in our boardrooms. Our chairman has repeatedly said that accountability, transparency, data discipline issues are a high priority and he will not accept any ransomware, phishing, malware, DDOS and other attacks in out IT and data systems.
It seems to me that both public and private sector entities have realised that they have to comply with GDPR by the May 25th, 2018 deadline and now in increasing numbers scramble to comply. Due to this late start, they are not prioritising digital, IT and data security and cloud issues and solutions. Unfortunately, they will not achieve GDPR efficiency and IT security gains and that in the long run will be more expensive.
Follow a structured implementation guidance
These organisations have to understand that GDPR compliance is not self-evident as most organisations will not be ready. During a recent DPO network meeting organised by the EUGDPR Institute there was a wild discussion whether GDPR was over-prescriptive, other members of the network claimed that GDPR is non-prescriptive. This argument only reiterated the fact that like all other compliance issues there is no “black-and-white” compliant or a state of being compliant or non-compliant. There will always be a degree of interpretation, and they can, as we did, follow a structured implementation guidance by starting with a workshop and a format for an integrated implementation approach provided by the EUGDPR Institute.
GDPR challenges in a globalised, interconnected and digitally borderless world
With the above suggestions for implementation, all organisations should be able to develop a GDPR practice and develop to policies, procedures and guidelines that accompany the GDPR regulation so that the organisation can take more responsibility for their internal processes to align and satisfy the internal stakeholders and the oversight authorities.
One of the critical GDPR challenges and restrictions in the globalised, interconnected and the digitally borderless world, is the transfers of personal data. How can organisations place enough safeguards in their global data transfer practices to document compliance and that data, information and privacy matters? GDPR addresses this issue because based on the latest statistics from IMF, Unctad and The World Bank, the flow of data in terabytes per second, now exceed the flow of trade and finance as a % of GDP. Therefore, ensure that:
- The third country or the external company that processes your privacy data, must provide and document that an adequate level of protection for the personal data as determined by the GDPR is in place
- In the absence of that adequate level of data protection and IT-Security, the controller or processor wishing to transfer the data provides must ensure appropriate safeguards on the condition that enforceable data subject rights and effective legal remedies for individuals are available
- Review other possible mechanisms – that range from Binding Corporate Rules to approved codes of conduct and certification mechanisms, including different types of contractual solutions.
So, every robust organisation that want to achieve the minimum compliance must remember that GDPR will forever have a significant influence on the EU citizens data privacy rights and who knows perhaps even fight terrorism and other cross-border crimes.