The GDPR enters into force in Luxembourg in May 2018
Catherine Di Lorenzo, a lawyer with Allen & Overy specialising in IT with a focus on data protection, explains the new General Data Protection regulation (GDPR) coming into force on 25 May 2018.
Jess Bauldry: Who is affected by the GDPR regulation?
Catherine Di Lorenzo: It’s a topic that has to be looked at by every company because every company processes personal data, even if it’s just employment data.
What are the key issues of GDPR?
I think the kind of issues can be split into two: accountability obligations under GDPR, and accrued data subject rights. In terms of accountability: it’s a lot of work to do because you have to first analyse what data you have. That’s already a massive task because you have to go through the whole organisation, checking what are the data that are being used in different departments, and for what purposes. It’s not complicated from a legal perspective but challenging from an operational perspective. That’s going to be the basis to identify what’s required.
Then you ask “are my security arrangements appropriate?”. That will be done as part of the data mapping exercise.
Then I think the new challenge is also that companies who were initially only service providers (so processors) had little obligation under the current laws, but they will have accrued obligations in terms of accountability under the new law. They will have to hold records for processing and the respective controls. They will have obligations in terms of data breaches.
On the rights side, the legislator has raised the bar to collect “valid consent”, which is one of several things that changed, but not the only one. The current process, independent of the sector they are in, is they have to have some kind of previous policy where they describe what they do with the data, which had to be accepted by the clients. This practice will no longer be acceptable.
Today’s process in many companies was to say that when you agree with the policy, you agree with the processing described there. That will no longer work--there must be a clear explanation for what data processing they do, for what content it is collected and it has to be collected in a way that shows there’s been a decision from the data subject.
The technique of saying if you visit our site, you agree to all our data processes, that won’t work anymore. There needs to be some kind of expression of consent.
Tell us about the kinds of penalties that can be incurred for breaching the regulation.
The last really big issue or thing that bothers companies most is the huge fines. The law we have today provides for criminal sanctions, though they have been extremely rarely applied, and fines up to €250,000 for the company. For the representatives of the company it could be €125,000, which is a lot of money.
Under GDPR, there are no criminal sanctions, but there are administrative sanctions imposable by the data protection policers which can go up to 4% of the worldwide annual turnover of the company. That’s why companies are trying to get compliant. It’s a good incentive.
Who will police the GDPR in Luxembourg, once it enters into force?
Today we have a set up where you have to notify the Luxembourg data protection authority, the CNPD. This is going to change. That leaves CNPD on a new mission to ensure that the data protection laws are complied with. That means more investigations and controls by them. They could do that today already but they have less time. They have additional activities on the formalities side. They have also massively recruited in order to comply.
People can still complain individually. That is still there. When I mention access to information rights, you now have the obligation to notify them [the individual]. You have to include that an individual has the right to complain to the data protection authority. That wasn’t there before.
Catherine Di Lorenzo, pictured, is a lawyer with Allen & Overy specialising IT with a focus on data protection, photo: Allen & Overy
How can we, as individuals, exercise our right to access our data under the regulation?
We already have that right but you cannot abuse it. In principle, we exercise that right, depending on what the company gives you in terms of access. You can execute this right by contacting them. They might give the details of the data protection officers or legal department. Then you know how to execute it. They will then request some kind of evidence that you are who you say you are; a copy of your ID, to be sure I’m not requesting data on you. It’s also a recommendation for companies to put in place tools where individuals, for instance in an online environment, can see what data is processed on them. It depends on the organisation. There’s no hard guideline.
Do you think this regulation will empower more people to ask companies what information they are keeping on them?
I think some will definitely try and use that right but I’m not sure how many people in practice will exercise their rights. I think it’s also generational and cultural. Older people might be more worried about their data then younger people, who will just want to use the service or product or website without thinking too much about how the data is processed. Then there are also cultural differences that I’ve seen; for instance there’s a stronger culture of privacy and making requests for data access in Germany than in other countries.
In your opinion, is the new regulation solid?
I think so. They have learned from the directive that they put in place in 1995. I think there were some loopholes and there were also a lot of concepts that weren’t so clear at the time. With all the companies on the market in all the various sectors, the regulators and legislators have learned about what’s possible. They’ve tried to come up with a piece of legislation that’s technologically neutral…so they want to be able to cover everything.
Do you think companies in Luxembourg are ready for the regulation?
I think there are a lot that aren’t ready. But there are also a lot that are in the process, because there’s a lot of work to do. I also think some haven’t started yet.