An interview with Matthaios Hadjimatthaiou about GDPR

An interview with Matthaios Hadjimatheou @ Pelecanos & Pelecanou 

Matthaios Hadjimatheou speaks about GDPR, the challenges it faces today and Privacy Protection Plans

1. What is the GDPR and how does it affect the professional practices of data protection on a global scale?
   There is no hyperbole in stating that the attention of the global privacy and data protection community is entirely focused on Europe. With the passage of the General Data Protection Regulation (full title and reference: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), the European Union has once again put a stake in the ground to mark the most robust (so far) privacy and data protection regime in the world.
   
   In the form of a Regulation, this new legal instrument devoted on data privacy is, by nature, directly applicable in all EU member states and so does not require further implementation into national laws. As of 25th of May 2018 it immediately applies throughout the European Union.
   
   The GDPR is the most recent effort to unify the long-lasting and enduring approaches (OECD guidelines, Convention 108, Directive 95/46/EC, Directive 200/31/EC, Directive 2002/58/EC, etc) taken in the past on an EU territorial and extra-territorial range. The purpose of having a single Law was intended in an undertaking to provide for much needed consistency. However, time has proven that national interpretations and idiosyncrasies have made it quite a challenge.
   
   Its legal effect is not limited only on organisations established and operated in the EU but goes even further and includes international organisations which offer to sell goods or services (irrespective of whether a payment is required and as a result process personal data of data subjects who are in the Union) to or who monitor individuals in the EU (as far as their behaviour takes place within the Union).
   
   What does this mean for a private and public organisation? The new Regulation may not only limit an organisation’s ability to lawfully process personal data, but it can also have a significant impact upon its core business processes and even its business model.
   
   Every organisation that falls under the territorial and material scope of the GDPR is obliged to adhere to the Fundamental Data Protection Principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability) and the Lawful Processing Criteria (consent, contractual necessity, legal obligation, vital interests of data subjects, duty of public interest and legitimate interests). Moreover, organisations are mandated to be in readiness and be able to support data subjects in exercising their rights (access, rectification, erasure, restriction of processing, data portability, object, not to be subject to automated decision-making, consent withdrawal).
   
   Therefore, existing policies and procedures shall be updated to reflect the above and/or draft new ones to cover any shortcomings.
   
   
2. What are the challenges of today’s businesses regarding the protection and security of personal data and staying in compliance with the data processing principles?
   First and foremost, the most difficult hurdle of any an organisation, as to a new regulatory development, is to understand the actual underlying reason of data protection and why this applies to both big and small size companies. Another hurdle is to understand the underlying purpose of data processing and limit any deviations from the initial purpose. Sometimes it is a fine line between the initial and any other compatible purpose. Attention to details is needed as the very reputation of the organisation is at stake.
   
   What the majority of organisations do not observe is that the protection of their client’s data contributes in their turnover, thus creating a win-win situation. This sounds paradox at first, but taking into consideration that the organisation may be sanctioned with severe fines/penalties, every organisation needs to re-evaluate its risk appetite.
   
   The appointment of a Data Protection Officer (DPO) is a very hot topic nowadays as many organisations do not know if they are legally mandated to do so or not. In most cases the Office of the Commissioner for Personal Data Protection recommends the appointment of such a person or at least a contact person for data issues, on a voluntary basis.
   
   If the question of unjustified and counterproductive restrictions arises, rest assured that there are multiple and effective ways to implement the best possible methods to adhere to the principles of the GDPR while not limiting productivity. As data protection consultants, we strive to educate our clients and bring to the forefront the legal reasons but at the same time the benefits of protecting their data.
   
   
3. A ‘one size fits all’ approach
   The misconception of most organisations nowadays is that the publishing of an online privacy policy and the establishment of a consent letter upon the formation of a business-client relationship, are sufficient to determine that they are fully in compliance, accountable and in complete conformity to the Regulation. Unfortunately, this is not the case. Accountability and responsibility are an ongoing process which encompasses a variety of steps and measures. The latter can only be achieved through a plan that is implemented collectively by all personnel under a new culture oriented around privacy protection.
   
   
4. What is a Privacy Protection Plan (“PPP”) and what does it bring to the table?
   The PPP is a compilation of steps and procedures drafted by the responsible person (whether this is the Data Protection Officer, the Information Security Manager or whatever other title he/she has been given) regarding the protection of data collected from both employees and clients, that have to be collectively implemented and applied by all personnel. It is one of the best methods to adhere to the provisions and principles of the GDPR. Particularly the accountability principle, which is based on an anticipatory basis, PPP makes sure that sufficient evidence of compliance is actually being produced throughout the process.
   
   PPP is not intended to burdensome the organisation with a rigid tick-lists but instead offer a flexible self-regulatory tool. Its core is not IT oriented but instead focuses on the change of practices in a practical level that goes deep in each personnel tier. Notably, it is tailor-made and oriented around each organisation’s risk appetite. While each organisation will find its own way to operationalise compliance, the PPP embodies a foundation upon which everyone can build. Each organisation has its own data protection challenges that are unique to its business plan or mission.
   
   
5. What are the prescribed actions of a PPP?
   PPP consists of total 4 actions. Each of them will be outlined briefly below.
   
   Action 1: Identification:
   This is where the initial preparation is being made throughout an organisation. It sets the legal landscape under which the data protection and privacy requirements, emanating from the new Regulation, are being analysed. It also includes the collection of relevant Laws, standards and Regulations that affect all functions of the business of the organisation. The readiness and awareness of the organisation are also examined leading to the establishment of an action plan, under which the organisation will look closely to the data flows, create a Personal Data Inventory and generally perform initial data audits and assessments to identify risks and gaps. The Senior Management of the organisation will determine the requisite recourses for the said plan and set the beginning of a better privacy management.
   
   Action 2: Structuring and Organisation:
   The second part of the PPP is the establishment of the organisational structures and mechanisms for the privacy needs of the organisation. The privacy strategy and program in the preparation phase are supported by data governance controls which are needed to provide further specific guidance to personnel for the collection, use, processing and protection of personal information. The engagement of all parties concerned (Senior Management’s commitment, involvement of stakeholders, etc) is given close consideration and the development of a data protection culture is of vital importance. The organisation will also proceed to the assignment of privacy responsibility to an individual (usually given the title of Data Protection or Privacy Officer) and confer the appropriate powers but also responsibilities.
   
   Action 3: Implementation and Training:
   The implementation is the one of the most important aspects of PPP in order for it to work effectively. Under this specific action, the organisation is asked to draft its customised policies, procedures, measures and controls necessary to implement the relevant Laws and Regulations. Additionally, the organisation will develop a data classification scheme which will assist the organisation to narrow the scope of what needs to be protected and on what level. Transferring data outside Europe, to third-countries could vary from being tricky to being dangerous. Thus, the drafting and implementation of a cross-border data transfer system is another aspect of this action. Finally, in order for all the aforementioned to come into fruition, all actors need to be adequately informed and this can only be achieved through a systematic and regular training plan.
   
   Action 4: Risk Assessment, Evaluation and Improvement:
   Under the final part of the PPP, the organisation is challenged to create a risk assessment process which it will enable it to identify and prioritize privacy and security gaps, risk mitigation, compliance and increase brand reputation and customer trust. On the same line, the organisation will perform the necessary Data Protection Impact Assessments (DPIAs) starting with already applied processes to future planned-ones. Internal and external audits and reviews may take place to monitor the operation and resolution of all privacy-related matters. Last but not least, the responsible person in the organisation has to monitor all standards, laws and regulations for any new amendments and/or developments.
   
   The presented procedures are a fraction (and not exhaustive) of what is included in the PPP and the mere fact that many organisations have already implemented it proves its valuable offering in the data protection framework.
   
   
6. What does the PPP strive to achieve and what is the advantage over other methods of compliance?
   The most important aspect of the PPP is to bring into line the senior management’s new risk appetite with how their employees manage and protect data. Recent researches have shown that most security failures are made through people. Ranging from accidents (unintentional) to deliberate (intentional) actions. Therefore, the human factor should not be taken lightly. One of the reasons for increased data breaches across the globe is the work of unscrupulous employees. The weak link in the chain is often human rather than technical.
   
   Article 32 of the Regulation is clear and establishes the obligation to keep personal data secure. The duty of security should reasonably include the continuum of applicable risks, from accidents and negligence at one end to deliberate and malevolent actions at the other.
   
   
7. What is the ongoing support after the initial setup of a PPP?
   Organisations that have chosen to embark upon the implementation of a PPP, will observe that after the initial setup, the most difficult and tricky part of the journey is over. Thereafter a maintenance stage is intended to be enforced on an ongoing basis. The latter focuses mainly on evaluation and improvement, which is achieved through various practices, namely: internal/external audits, privacy self-assessments and benchmarks, the execution of Data Protection Impact Assessments (DPIAs), risk analyses and monitoring new developments and Law amendments. Consistency is the key, therefore all the aforementioned have to be continuously sustained by a devoted person or external appointed organisation.