Privacy Day 2019: the best moment for a seven months GDPR adoption status analysis
Question: 7 months after from May 25, 2018, when European legislation in the field became stricter, what is the GDPR compliance status for companies in Romania?
Answer: Looking from regional perspective, Romania is not offering a particular status, most different than other EU countries. We have to consider of course the local specificity related to economic status and the legal landscape, but the business entities from Romania had to be confronted with the same key challenges than any other EU country. What is important for any personal data controller is to understand GDPR should not be treated as a calamity. Doing coordinated efforts to be aligned with compliance standards orchestrated by GDPR principles, any organization should adopt the business processes changes as an engine in business transformation. And from these perspective the drama is coming. According to my researches and a permanent interaction with the market realities, the main obstacle in GDPR processes adoption is not coming from the lack of technologies and peoples skills in cybersecurity. The main braking factor is the lack of managerial commitment to perform changes. Is the attitude dictated by the management’s resistance to the change. And this attitude is not associated only with GDPR’s “tsunamis effect”. It is resistance reaction to any disruptive technology.
Question: Privacy, integrity and availability of data are the main drivers for data security policies. Do you think it applies after the 2018 experience?
Answer: Looking to one of the most important goal of the new EU Regulation, GDPR compliancy should deserve first of all the fundamental freedom rights of any EU citizen and the trust in data privacy. We have to learn how to have respect for our data, how to protect them in order to give to these data the freedom of movement in the most safety ways. This is one of GDPR paradigm.
The other is the building a personal data protection culture. A GDPR adoption project is not a simple IT implementation or a contractual content upgrade to fit the new legal frame. A GDPR adoption project should first of all to create the basement for GDPR culture implementation. Like in cybersecurity industry, we didn’t have a 100% safe solution. Any new technology wall is made to be break… In the same philosophy is practically impossible to consider you are 100% GDPR compliant. But to be more close to this ideal, you have to build a GDPR culture. And for this we need time. We have to create a privacy culture in our organization. We have to educate employees on the importance and impact of protecting clients, employees and partner information, as well as the understanding the key role anyone is playing in keeping it safe.
Question: These seems we have first of all to build trust…
Question: Where is the place of data protection in a cybersecurity strategy? Is it aware of managers and employees of companies? Is the human factor the critical factor in this equation?
Answer: The essential transformation GDPR is doing is related to the fact we have to reconsider the cybersecurity strategy. The data core is not anymore data protection. We need a business life-cycle insurance for the whole personal data flow. We have to extend our protection efforts from the business data to the whole personal data flow in a company, from data collecting, simple processing, local storage, data encryption, data exchanges and communication tools, data international transfer, until data archive and final storage. Summarizing, these seems we need end-to-end solutions. Here is the difference between the very specific concepts of PIA (Privacy Impact Assessment), and the larger concept of DPIA (Data Protection Impact Assessment).
Question: All is about Compliance. But is it a safer world now?
Answer: “Compliance” is a term used 85 times in the EU Regulation content. What Compliance truly it is? Through the different phases, the data Controller or the data Processor must demonstrate that it performs any activity related to the protection of personal data, covering compliance with principles (Art. 5 c.2), appointing a DPO (Art. 37), ruling a risk analysis or a DPIA (Article 35), adopting data protection by design (Art.25), registers of processing activity (Art.30) or Data breach management system (Art. 33, 34). So, practically we have to prove this Compliance by any process, policy or procedure adopted.
Question: What changes led data protection legislation to cloud trend?
Answer: This is really funny. Cloud computing was perceived from the beginning as a disruptive technology. Now we have to analyse how disruptive is GDPR for cloud services. The good news is the Cloud is not a problem from data protection point of view. As long as the contractual terms respect the principles, we have a legal basis for services, liability is assumed transparently and the data subjects are fairly informed about the processing and storage conditions of their data, everything is in accordance. Depending on the types of services offered, a cloud provider can be considered as a simple data processor (hosting and management-free hosting) or a private, public or hybrid cloud provider. From data protection and security features point of view, it is well known a cloud service could be considered a safety solution by transferring data protection responsibilities to cloud services provider. Let’s remember that Cloud Security Alliance established two years ago a Code of Conduct related to cloud services security issues, offering to cloud providers a very valuable resource to demonstrate their conformity by adopting this Code of Conduct.
Question: Which are the most important risk factors in the Romanian market related to GDPR adoption?
Answer: Here we are entering in a “50 grey shadows “area. The starting of any alignment projects is organic linked to a managerial decision. Nothing can be done if management is not convinced of the importance of the subject. But understanding the importance is not everything. Management must conduct the start of activities, set up a team, delegate a responsible person, and especially plan resources. This mean to get involved. Any business analysis or audit that is the first step in conducting a compliance assurance project is about the level of managerial engagement. Are the managers directly involved, participate in discussions or delegate a trusted person to handle everything?
What situations could be actually encountered? All the implementation steps undertaken so far have in most cases been the impetus of external pressure and quite little and rarely the result of a real management conviction. Unfortunately, there are still many managers who consider GDPR:
a stupidity, a simple bureaucratic exercise, a threat with huge penalties that will never endanger our organization, a lots of money throw away, a great bluff, no one has been fined so far, none of the buddies or partners did anything for that, and nothing happened to them. And the list could go on well and well...