GDPR, one year on

Mélanie Gagnon, Founder & CEO, MGSI Marie De Decker

Mélanie Gagnon, Founder & CEO, MGSI Marie De Decker

The EU’s General Data Protection Regulation entered into full force on 25 May 2018. Although it may have sent some companies into panic mode, it had already been adopted in 2016, replacing the EU Directive 95/46 adopted in 1995. 

So where do businesses stand today? Delano spoke with three experts working in the area of data protection to get a consensus on the regulation, nearly one year on.

Facing “a big mountain”

Mélanie Gagnon moved to Luxembourg from Quebec, Canada, in 2015 to start MGSI, a consulting firm which specialises in data protection. She had been keeping an eye on what was happening in Europe regarding data protection and said the timing was right for her to move abroad to start her company.

MGSI has worked with local organisations on everything from gap analysis and privacy-by-design to training new data protection officers (DPOs) or former DPOs who want upskilling. Before GDPR came into force, Gagnon said, “there was panic, a lot of requests, people [had] inquiries on how to comply”. Now, however, it’s more of a “waiting mode”, with a distinction between larger companies versus SMEs.

“For a lot of SMEs, they saw there were no big fines from data protection authorities, so they stopped worrying a bit,” she said. “Small companies… see it like a big mountain that they don’t know how to deal with, what to do, so we are more trying to let them know that the first thing is, at least, to have a look at what they are doing in terms of data processing activities, to prioritise the main actions.”

Gagnon promotes a risk-based approach, but she has noted that websites are still a priority issue, as many are still not compliant. Despite published guidelines, “there are a lot of questions at the European level, even for external DPOs”. While her company keeps abreast of what’s developing in terms of GDPR, there’s also another element at play. “I know in the telecom business they speak to each other about GDPR compliance because if one telecom company in Luxembourg is asking questions, and three others are asking the same question, they are talking to each other to… have some kind of consensus.”

Collective responsibility

National Commission for Data Protection (CNPD) commissioner, Christophe Buschmann, also advises companies to keep pace. “Either you move with everyone on a continuous basis, or you just don’t get it and you stop acting and the whole world moves forward… Then it will be very hard to catch up again.”

The somewhat positive news is that of the 220 data breaches reported to CNPD from 25 May to 31 December 2018, most were internal accidents. “That’s a very important point because sometimes you get the impression when you talk about data breaches or IT security that you focus on this malicious attack that might come one day, but actually most of the breaches are just accidents without bad intentions.” Buschmann acknowledged that, while this overall figure is “probably far from being complete,” he estimates Luxembourg is doing better than “half the countries” when it comes to notifications.

Buschmann believes the biggest challenge this year and moving forward, however, is the “transition from project mode,” during which time many companies reserved financial and human resources specifically for GDPR, to now having to “deploy this somehow into business as usual… you will not read about GDPR every day in the news, but you still need to keep it in mind and keep working on it.”

National Commission for Data Protection (CNPD) commissioner, Christophe Buschmann, advises companies to keep pace. Photo: Anthony Dehez/archives 

While company size does matter to an extent, the question on whether companies are complying doesn’t exclusively pertain to that. “There’s this risk-based approach in GDPR, so if you’re smaller… in general, you are processing less data, you engage in less risk, which should make being compliant less burdensome as well,” he said, adding that he realises some SMEs may be lacking a certain level of legal expertise.

At the time of the interview, Buschmann confirmed an audit was underway with 25 firms on the DPO function and its implementation, but results could not yet be disclosed. However, Buschmann confirmed the intent to share the results following the audit’s conclusion. “The idea is always that we want to share good practice and also point towards common bad practice.”

There’s also a larger picture: “There’s a clear idea to position Luxembourg as a data hub or IT nation, and I think there is a collective responsibility not to be the weakest link in all this,” Buschmann said. “Because the day there is an accident, and it’s a Luxembourg firm, nobody will ask if the others were more compliant than the one that suffered a serious accident, they will just conclude that all the others are on the same level.”

Up to speed

So where does that leave us? Gary Cywie, counsel at the law firm Elvinger Hoss Prussen, specialises in data protection and privacy. Cywie confirmed that few financial companies took advantage of the two-year transitional period when it came to GDPR: “Many businesses in Luxembourg were busy implementing other regulations such as Mifid II, Basel III, new CSSF circulars, and spending time to reflect on the consequences of Brexit.”

But he urged companies to implement the “less visible, but nevertheless necessary measures” which include the implementation of technical and organisational measures for ensuring data protection, conducing impact assessments as necessary, adopting safeguards with regards to personal data transferred outside of the European Economic Area, to name a few.

“Supervisory authorities did also need to get up to speed with the new regulation and reorganise themselves to familiarise with their new investigation and sanction powers,” he said. “This means that we will also see more investigations and sanctions as we go, with their bunch of potential judiciary matters.”

Luxembourg Data Protection Days

Now in its third edition, LDPD brings together some 500 players in the field of data protection, with a wide range of speakers, workshops, plus a networking evening from 6-7 May.

This year’s focus is “GDPR, one year on”, and participants can hear from other businesses about the challenges they are facing, as well as which methodologies and implementation solutions have been adopted. LDPD is an initiative started by MGSI, now co-organised with the Luxembourg Chamber of Commerce on the Chamber of Commerce premises.

For more information, visit www.ldpd.lu