Held in Brussels with just over six months until the May 25 it was unsurprising that GDPR was one of the main themes of this week’s ISSE Conference.
In fact, most of the speakers mentioned it, even if it was not the central topic of their talk. In his closing keynote which reviewed the year in crypto, Professor Bart Preneel said that one solution was to put stickers saying ‘privacy by design’ on everything.
Opening the conference, Philippe de Backer, Belgian Secretary of State for Social fraud, Privacy and the North Sea said in his keynote that GDPR is a “much more modern, a much more up to date, stronger, clearer and transparent working data protection authority.”
He said that on the one hand there is a large focus on prevention and information, providing guidelines and legal certainty, and on the other hand there is “a very repressive sanctioning mechanism.”
The fines, which will either be up to €20m or 4% of a company’s global annual turnover of the previous financial year (whichever is higher), did get some comments. Chairing a track on ‘GDPR for CIOs’, Erik Luysterborg, EMEA Privacy Leader for Deloitte said that the “requirements force you to demonstrate compliance” where “you have to do what you say you do.”
He claimed that the introduction of GDPR will force companies to look at data management as a whole and if you can do it right, “you get more effective data management” and this will create a more stable environment for cloud and data analytics.
Also speaking was Herwig Thyssens, head of T-Trust at T-Systems Belgium, who said that GDPR is “a complex thing” and not just about law, security or technology, but something to maintain for the rest of your business life. He claimed that like a good investment, to get money from it you have to prove to your customers that it is worth investing in.
Thyssens said that GDPR will also help remove common gaps in implementation, as well as make data ownership more clear, which he called “the most important element in GDPR” as without that, “you will not be able to provide assurance or use the added value of the GDPR to get more business.”
Thyssens concluded by saying that a company’s board needs to push GDPR, and every business needs to do a compliance check and document so they know where their weaknesses are.
In preparation for GDPR compliance, this does seem to be a sensible direction – know where things are, be able to respond to a customer query and have buy-in from all parts of the business.
Also speaking was Johan Fontaine, manager and technical expert at PwC, who said that “GDPR assumes maturity” and for most organizations, there is an assumption from GDPR that you have a security plan in place.
Luysterborg asked the two speakers if they felt that GDPR provided an opportunity, to which Fontaine said that compliance and risk are the opportunity of GDPR as if you look at most organizations, they rarely know where their data is or the value of their data, nor do they know what they can do with it - and GDPR is a driver of that.
“I don’t know many companies that will be ready, but they need to prioritize,” Luysterborg said. “Understand the ramifications and change of culture that will be needed, privacy by design is about embedding it. GDPR is not a 2018 issue but an opportunity to reassess processes and data culture, and the guiding principles will be to combine efforts vs silos.”
Luysterborg started the session off by saying that GDPR is “not about legal or technical aspects only”, but that it goes hand in hand with data governance and ownership.
As the months tick by it's becoming clear that GDPR is more of an opportunity for consumers to understand how companies process and manage their data, alongside a genuine concern from businesses on how to comply with it. The discussions this week, in the capital of the EU, did make one feel closer to the heart of GDPR and gave some reassurance on its benefits, but as questions continue to come on its various facets, how ready European businesses will be come May 25 2018 remains to be seen.