Skip to main content

Two days about data protection one year after the GDPR - my takeaways


I am not a fan of political speeches and introductions by VIPs. The contribution of Viviane Reding: was an exception as it was personal and gave an insight into the background of how the GDPR was born. At least to me, the long haggling about the GDPR and the discussion on what is  new and what not crowded out from public discussion the ethos: to protect personal liberties against dictatorship and the principle that data belong to the person herself (or himself). The ex-commissioner for the area and MEP rightly boasted that in this field, the EU is a standard maker.
It is also interesting to note that while Europe only followed the U.S. in establishing net neutrality, now the U.S. has retreated from it.
IT was on the Luxembourg Data Protection Days, organised by MGSI that the experiences of one year of the GDPR were discussed.
Tine Larsen from the CNPD complained about GDPR-bashing and that there were also fake news around GDPR. The fact that Luxembourg voted the laws regulating the (not too numerous) issues which were left to member states confirms Ms. Reding's point that after the enthusiasm generated by the news around GDPR being voted, enthusiasm subsided and the two years' span for preparation till its entry into force was too long and the EU countries left the implementation to the last minute.
Cybersecurity is closely related to data protection and an important tool to ensure confidentiality, thus a number of lectures dealt with it. Statistics of incidents (notification of data breaches is one of the main areas where the new regulation has triggered action) were presented - Luxembourg is not big but has a share of digital operations much bigger than its size warrants.
Just some numbers: 57% of violations caused by human error, external malicious intervention caused more than a quarter; missent data were responsible for 50%, hacking for 33%.
The recent cybersecurity strategy of Luxembourg and the institutions ensuring security of public services, critical infrastructure and also assisting the private sector figured prominently among the topics - cooperation between actors, even when they are competitors, benefits the customers - critical sectors like insurance and banking show good examples.
The government initiatives like certification standards (as they consider ISO 2700X too general), assistance in incident response and training also show the support which helps the economy and creates trust.
 General and specific compliance tools were presented - specific areas handled are consent and data subject request management.
Responsibility shifting from the DPO to the controller was an implicit impact of the new regulation observed by - just guess - DPOs.
Coming back to security: there must be a reconciliation of security-enhancing monitoring and logging and the data minimisation and transparency principle. I regret that a related topic: restriction of data subject rights for security and law enforcement and related reasons was not discussed.
Other areas where reconciliation of other regulations or practices with the GDPR is not easy - even when there are specific stipulations about them in the regulation or maybe just because of that - are archiving and conservation. Private health insurers also consider a challenge to find the right legal basis to use health data in their day to day work.
I found intriguing that the public sector in Luxembourg has a data protection commissioner beyond the DPO's of the individual institutions. His experiences and considerations are also worth attention in the future just as those recounted by practising DPOs.
A good overview of data breach notifications and of privacy by design design helped to put some order into my thoughts, too
Overall, it was worth to participate - the IAPP announced two days later that they set up a Luxembourg chapter, it is a pity they were not there. So I am looking forward to a follow-up and the next instance of this very useful exchange of experience.

Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam
Post a Comment
Read more