MARKET | Aug 9, 2018

GDPR: A first stocktaking

After the entry into force of the GDPR, what are the doubts that remain on the regulation?

Two months after full application of the EU General Data Protection Regulation, better known as GDPR, let us try to take stock of the situation regarding the adjustment of companies and organizations to the provisions of the new personal data protection law, often incorrectly referred to as “Privacy Act”. From what can be seen, the objective of “total compliance” is still far away, and there are doubts whether it will ever be reached.

What immediately catches the eye is the drastic drop, starting from May 25, in the number of e-mails containing information and appointments that could make you think that the process of  adjustment has been completed on time. Even if it is not exactly so.

Many companies in Italy have not considered the need for adjustment, perhaps still waiting for the announced decree law that ought to harmonize the so-called “Privacy Code” – the code regarding the protection of personal data (Legislative Decree 196/2003) – with the European Regulation and which will be examined in committee on August 21. This is the outline of the decree pending approval.

On the other hand, other companies have taken action but they have taken the affair “a little on the light side”, mistakenly thinking of getting by with the usual avalanche of missives sent everywhere, at times risking ridicule like those who, “with the GDPR having come into force”, send out the new policy statement under defunct Law 675/96.

Still others – but they do not appear to be the majority – have embarked on an actual process of adjustment but not all have yet completed it.


What doubts still remain?

It is impossible here to discuss all the issues that successful adjustment should take into consideration: one can only hint that a good methodology could divide the activities into formal adjustment, organizational adjustment, technical adjustment and governance.

Among the many doubts that have not yet been clarified is the need or not for the appointment of a Data Protection Officer (DPO), what security measures are to be applied, when it is necessary and how the Privacy Impact Assessment should be implemented, as well as many others.

Having remained orphans of the minimum security measures defined in Annex B (the technical specification of Legislative Decree 196/2003), data controllers are in any case obliged to “put in place suitable technical and organizational measures to guarantee a level of security appropriate to the risk”, whatever that means. And off they go, slavishly applying minimum measures. And that’s all.

How have companies organized themselves?

Most companies rely on external consultants who generally fall into two categories: consultants with a legal background (lawyers) and those with a technical background (mostly computer engineers). There is no lack of surveyors, accountants, consultants for safety at work, consultants for quality certifications, and so on and so forth.

Nothing against that, let it be clear. No specific qualification, certification, degree or badge is required to offer good advice on the protection of personal data. Only, I would suggest that companies evaluate well the skills and experience of those who put themselves forward as experts. In fact, there are not many experts in “privacy legislation” who are equally familiar with technical issues related to IT security, just as there are not many computer engineers expert in IT security who are also experts in “privacy legislation”, and both skills are indispensable for being able to achieve a level of adjustment that is at least acceptable.

The various programs and tools for adjusting to the GDPR that promise easy and tailor-made solutions cannot be the only solution if the user does not have the necessary experience and knowledge.

DPO, yes or no?

This consideration leads us to the DPO chapter, which deserves a few lines aside. As we know, public bodies must necessarily appoint a DPO, but for all companies this opens up a debate. Not even the FAQs of the Garante (Italy’s Data Protection Authority) shed light on what to do and the legal indications (obligation of the DPO for large-scale processing of particular data or processing that requires regular and systematic control by interested parties on a large scale) are rather woolly. What is meant by “large scale”? The only light, even if minimal, comes from document WP243 – the European Commission’s Guidelines on Data Protection Officers – which I recommend you consult.

Returning to the “post May 25” situation, there is also total confusion as regards the remuneration of DPOs. A rapid search among the invitations to tender for appointment of the DPO proposed by public bodies shows the most varied results. They range from 1,500 euro per year, offered as a base (downward) by some schools, to 50,000 euro made available by some institutions, with various variations between.

Fortunately, at least the tasks of the DPO are defined by Art. 39 of the GDPR. Or maybe not? I know of colleagues who have had to deal with situations that are nothing short of catastrophic, anything except informing, providing advice or monitoring compliance with the regulation.

In short, two months after full application of the European regulation, there is still a lot of confusion. It is true that a process of adjustment is never-ending. It is true that the paradigm of the Deming wheel, which is taught in all the courses that talk about management, tells us that we must always return to the start. The Italian habit of always waiting for the last minute is also true. But there is also one thing to say: given the gestation time this regulation has had, we could have expected something more.

Paolo Giardini