“Individuals will secure their own information better and companies will have to gain trust by proving they are not tossing around personal information,” was one of the main messages of the AmCham Focus “The Year After Tomorrow. The GDPR Will Become Reality.” Since in a year, on May 25, 2018, the EU General Data Protection Regulation (GDPR), which unifies and modernizes the legislation on data protection for all EU member states, will enter into force, we discussed at the AmCham Focus what this means in practice, how it will affect business, and how to apply all the regulations and still remain competitive.
The new Regulation is protecting personal information – whether that of an organization or an individual. Marko Kavčič, SAM & Compliance Lead, Microsoft Slovenia, explained in his keynote speech that more rights would be given to individuals so that companies would not be able to manage our information without our consent and that companies would have to adapt to it and change their business processes. The Regulation is so important because of extremely high fines – up to EUR 20 million or 4 % of the company's global annual income.
Another important change brought by the Regulation in addition to higher fines for violations is also the uniformity of personal data protection in the EU – it will apply to all companies worldwide processing personal data of EU citizens, whereas the conditions for personal data processing would be more stringent, organizations would be required to appoint an authorized person for data protection, reporting about database hacking would become mandatory, the right to be forgotten would be established, consent to use personal data would have to be clear and unambiguous. Data portability is also a novelty – an individual would be able to demand and to transfer their own data to a competitive provider.
It would be necessary to find ways to ensure compliance with the Regulation and gain confidence Roland Marko, Partner, Wolf Theiss, in the first part of the roundtable said that the awareness of enterprises about what the GDPR means and brings is high. People are mainly interested in the novelties brought by the Regulation because of serious consequences in cases of non-compliance. The Regulation would, though, be different for large and small businesses. Most of the big companies already have employees in charge of compliance, but this would represent a greater challenge for medium and small companies that would have to find a way to introduce mechanisms for ensuring compliance with the Regulation. “This is something that has to become a part of a corporate DNA,” emphasized Mr. Marko and added that the GDPR would regulate an individual's personal information and that gaining users’ trust would be the greatest challenge for companies in order for people to give their consent more easily.
Robert Trnovec, General Manager, Microsoft Slovenia, said that people in Slovenia understood what the new GDPR brings and that companies were preparing for it. In times of rapid development of technology, the trust between the customer and the provider is the main foundation. “Individuals will secure their own information better and companies will have to gain trust by proving they are not tossing around personal information. Once established, this trust will help companies,” pointed out Mr. Trnovec adding that in this respect, the Regulation would help companies to develop. He also explained that the Regulation did not represent a significant change for Microsoft. “Our products already comply with numerous regulations, this is just one of them, only more complex,” he explained and emphasized that it was necessary to have control over information. He also noted that this Regulation would affect some companies more than others. Mainly those companies that buy and sell information would have to adapt more. The fact remains that the Regulation would set a global data protection standard.
It is important for companies to implement the data protection framework. Oliver Currie, Head of Forensic Reviews, PwC, said that companies would have to adopt a holistic approach and evaluate what information to keep and what risks come with it. We would have to manage personal information proactively and ensure their safekeeping to be compliant with all regulations – in doing so, companies will require practical guidelines. Costs arising from the implementation of the Regulation would also have to be taken into account. Mr. Currie believed that some companies would have to closely inspect their entire business system and see what impact the Regulation would have on their business. In some cases, the GDPR would greatly increase the company's costs and would also bring major changes for governments and banks.
“Complying with the Regulation will result in key market advantage”
In the second part of the roundtable, Andrej Tomšič, Deputy Information Commissioner, Information Commissioner of the RS, also affirmed that trust between companies and individuals and their personal choices were important for the implementation of the Regulation. “We all are individuals, everybody is collecting information about us. Trust and choice are thus key factors and companies that will realize that will prosper,” he said. He added that the principal purpose of the Regulation was to give back to users their personal information. “Complying with the Regulation will represent for companies a competitive advantage on the market and companies will take care of it to avoid bad publicity,” he stressed, adding that realizing the value of data was of key importance. “Don’t wait for something to happen to you – prevent it before it does,” said Mr. Tomšič.
Nataša Pirc Musar, Partner and Director, Pirc Musar Law Firm, explained that the GDPR wasn't going to bring much change but would make a step forward in giving informed consent. An individual’s consent for the use of their personal information was unambiguous, the user had to give their active consent, had to be aware of the provided information and for what purpose they gave their consent, and the language of that explanation had to be understandable. She also said that regarding this Regulation more than 7,000 amendments had been submitted since personal data had always been lucrative, and that an individual’s awareness about the value of such personal data in the EU had shifted light years onwards. She believed that it was important that the Regulation was technologically neutral. “When the first such directive was drafted, the Internet was not yet in general use. This means that the new Regulation will last long because it is technologically neutral and doesn’t have to adapt to new technological change,” she explained.
Matjaž Štiglic, Director of Information Technologies, KPMG, also said that for the companies that had been complying with current legislation, this new Regulation would not bring major changes. As one of the important challenges he pointed out the option for companies to outsource their work which brings new challenges. “There are many subcontractors that process different types of data. That is why we have established a complete system of selecting subcontractors and of deciding what to do if there is a disagreement between them,” stated Mr. Štiglic and advised companies to start dealing with the GDPR, had they not done this so far.
Estimated 28,000 DPOs in Europe alone
The GDPR also introduces the post of an authorized person for data protection (a.k.a. Data Protection Officer). Some estimates show that in Europe alone there will be around 28,000 of such persons. As Mrs. Pirc Musar explained, it is important that such a person had the authority and was independent because it would cover the entire field of personal data protection. She added that the Regulation did not distinguish between small and big companies and that all companies that handle sensitive data would have to have DPOs. Mr. Štiglic added that the majority of big companies already had an authorized person for managing personal information – someone responsible for compliance with legislation. They would now probably become Data Protection Officers. “At every moment, we must know how to process data, who is processing it and how. It is thus good to have a person who really knows this,” said Mr. Tomšič.
Regarding the control of companies, Mr. Tomšič explained that there was and never would be full control but that it wouldn’t be worth violating the legislation since the penalties were extremely high. There are supervisory authorities in each country of the European Union and the EU is striving to achieve a uniformed operation of supervisory authorities, thus strengthening cooperation between the Member States. He added that the Regulation was unifying the European area, but that differences would always exist because the rules would never be exactly the same in all Member States.
Slovenian companies are also actively preparing to implement the Regulation. Case studies, where they showed us with what challenges they are facing in doing so, were presented by: Maja Golovrški, Director of Compliance, Zavarovalnica Triglav, Peter Govekar, GDPR Project Manager, A1, Jasna Kajtazovič, Director of Product Development and Marketing, Abanka, and Nenad Mrdaković, Compliance Officer, Petrol.