The GDPR represents a fundamental change in the way companies approach their data management. Do you think that the message is being taken sufficiently serious by Luxembourgish companies?
Our discussions with companies over the last few months have enabled us to make two observations in this respect.
Firstly, the companies we meet at our conferences are often very worried because they have heard about the sanctions or certain difficulties that other companies have encountered in their data management. For these companies, the role of the NCDP is mainly to explain the principles to be applied and to provide guidance so that they can move forward in their compliance efforts.
Secondly, we believe that there are a large number of companies that are not (or not sufficiently) aware of the rules to be applied. Unfortunately, we cannot expect to meet them at our conferences or trainings, simply because they have not yet identified the need to get informed. Many companies do not feel concerned because they do not process so-called 'sensitive' data. In reality, however, it is not that simple. All personal data falls within the scope. Even if we can assume that compliance for these companies would not necessarily require a huge effort, they would still have to go through the exercise to check their compliance.
Our aim is therefore for the first group to adopt a constructive approach to the changes and for them be reassured by the information received - and to communicate this message to the second group.
The NCDP currently holds an accreditation role. This function will disappear on 25 May. Who will companies then be able to turn to for advice or a GDPR certification?
The NCDP will still have a responsibility to provide guidance. Guidance is different from advice. The former is not specifically aimed at a company, but rather at a sector. In theory, it concerns a given topic. This approach should enable a maximum number of companies to be helped, which would not be possible through individual 'advice'. That being said, the NCDP will, of course, remain available to advise companies on more specific or complex issues that cannot be covered by existing guidance material.
Through its relationship with the many organisations that represent businesses, the NCDP also hopes to give companies the tools and guidance they need to guide their members on data protection issues in their particular business context. The NCDP has already communicated on several occasions its willingness to involve and assist companies, a message that has been well received. Many very constructive initiatives are underway.
As for the matter of certification, the NCDP is currently working on the subject and will inform the companies as soon as the case is sufficiently advanced. We do not want companies to think that 'certification' is the solution to all issues and to thus postpone their compliance efforts until it becomes available. We are aware of the expectations of businesses and will move this issue forward as quickly as possible. However, we caution companies that the certification process is a tool to 'verify' compliance. It will therefore be necessary to ensure all conditions for compliance have been met beforehand.
While structured data (ERP type) is fairly easy to identify, it is much more difficult to make an inventory of all the small, disparate files and lists (Excel, text, letters, screenshots...). What approach do you recommend for such unstructured data?
We recommend starting to identify the types of data processings first and then mapping the data onto the processings. In fact, one piece of data can be (and most likely is) used in many processes. It is the context of that process that is important (e.g. a name on a list for a newsletter is not the same as a name on a list of cancer patients).
Another strength of this approach may be the prioritisation of 'high risk' data treatments. An identification on a case-by-case basis would be necessary to determine to which extent unstructured data is involved in such treatment.
However, this approach is not mandatory. If one completes the exercise, the result should be the same. The NCDP is not prescriptive in this regard and encourages companies to share efficient methods with each other.
Some economic sectors are more concerned with data management and processing than others. Do you see a difference in the application of the GDPR depending on the sector of the company?
The GDPR applies to all sectors. However, certain factors can influence the application of the GDPR, such as the regulation of a sector. If a sector is already regulated, companies may be more used to following regulatory developments and have internal structures in place to ensure their smooth functioning.
How will controls be carried out after 25 May 2018? Does the NCDPD see itself in a support or control role after this date?
The NCDP wants to keep a balance between guidance and control. It also seeks to raise awareness of the fact that controls are not only intended as a means to sanction processes. They should also enable the NCDP to identify recurring error areas, on the basis of which it can draw up guidances that will help companies to improve.
The 4 aims that the NCDP has set for the controls are:
- to identify specific and recurring problems;
- to verify the implementation of the guidance provided;
- to investigate reported problems;
- to verify the implementation of compliance measures.
Find more information on compliance monitoring
in this document.