University of Luxembourg data protection officer Sandrine Munoz, pictured, says it is crucial for organisations to raise awareness about GDPR among their staff and decision-makers
It is crucial for organisations to raise awareness about GDPR among their staff and decision-makers, says the University of Luxembourg’s data protection officer Sandrine Munoz.
The EU general data protection regulation (GDPR), which enters into force on 25 May 2018 replaces the data protection directive 95/46/EC. It was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens and to reshape the way organisations across the region approach data privacy.
One regulation for all member states is a very positive thing, because it harmonises the rules. GDPR leads to a new philosophy for accountability, risk-based approach and cooperation between data protection authorities. This represents a challenge for companies and institutions, not only at the legal and IT level, but also in terms of governance and processes.
First of all, it is crucial for organisations to raise awareness about GDPR among their staff and decision-makers; furthermore research and business teams will need to work together to achieve compliancy. This is what the University and the Restena Foundation aim at, with a Data Privacy Day Day on 29 January. The speakers are both from legal and IT areas, and the national data protection authority, the CNPD, will also participate.
In the new approach taken by the GDPR, institutes are more autonomous in how they deal with personal data and have therefore more flexibility; however, there are stronger requirements to comply with GDPR and to document this compliancy. In other words, the institutions are accountable for managing the processing of personal data in compliance with GDPR. Due to the broader concept of personal data, it is likely that every institution and company is concerned by GDPR. It is difficult to evaluate the level of maturity of one's company with regards to its compliancy with GDPR.
The website of the European Commission and other bodies provide useful material such as videos and guidelines, and the CNPD launched a dedicated website for companies. The CNPD is organising training sessions for all interested persons in February, and they are an important step to be well informed and to learn how to implement the GDPR.
The first step to implement GDPR within your institution is to set up a register for company data processing. The register is an inventory of personal data processing, detailing for instance which kind of personal data is processed, the legal basis and other indicators. Legal actors and data companies have developed tools to set up such registers. Companies have to choose the most appropriate one for the organisation and customise it to their needs.
One of the big challenges is also to perform adequate data protection impact assessments (DPIA). DPIA are designed to describe the processing of personal data within an organisation, assess the necessity and proportionality of this processing and help manage the risks and freedoms of individuals resulting from the processing of personal data.
We hope that key actors in the different sectors processing personal data will provide codes of conduct and the CNPD will recognise the organisations which will deliver GDPR certifications.
Another interesting aspect in GDPR is the processing of personal data for scientific research or statistics. In fact, GDPR allows member states to foresee national derogations for certain data subjects’ rights, if an organisation implements appropriate safeguards to protect this data and respects conditions mentioned in GDPR.
My advice is to stay informed about the latest changes, and seek advice from your company's data protection officer. For many companies handling personal data, it would be an advantage to have a data protection officer and it is mandatory in some conditions (public institutions notably).
Sandrine Munoz is data protection officer at the University of Luxembourg. She will be among the panellists speaking at data privacy day 2018 on 29 January. The event, which is organised by the university and Restena Foundation, is free and open to all. Click here to find out more or register.