Protiviti has issued a series of podcasts on various specific aspects of the General Data Protection Regulation (GDPR), the comprehensive EU data privacy law that became effective May 25, 2018. Below, we offer a transcript of our conversation with Cal Slemp, a Managing Director with Protiviti’s Security and Privacy practice. Cal gives an informative and fascinating overview of the organizational structure and dispute resolution process under the GDPR, as well as his observations on companies’ experience with regard to personal data.
In addition, Protiviti has issued a GDPR FAQ guide, which provides answers to many of the questions companies have in working to comply with this complex law. Your questions are welcome, both here and on our website.
Powerful Insights GDPR – Cal Slemp
June 21, 2018
Kevin Donahue: Hello, and welcome to a new edition of Powerful Insights. This is Kevin Donahue, a senior director with Protiviti. I’m joined today by Cal Slemp. Cal is a Managing Director and a leader with Protiviti’s Security and Privacy Practice, and I’m going to be talking to Cal a bit about the new General Data Protection Regulation, which has just gone into effect for companies operating in the European Union. Cal, thanks for joining me today.
Cal Slemp: I’m happy to be here, Kevin. I look forward to the discussion.
Kevin Donahue: Cal, let me ask you this first question, which is, this is a big regulation that’s generating a lot of news and, obviously, a lot of attention from companies. What are you hearing and seeing from the companies you’re talking to in the market right now about their thoughts on this?
Cal Slemp: Yes, Kevin, it’s a great question, and as you say, there have been an enormous number of things that have happened in the very recent past that have brought this whole concept of personal privacy to the fore – even more than GDPR, perhaps, has done it. This is an interesting evolution with GDPR, that it has evolved from the European Union Data Directive, which has been in place for over 20 years now, but there are some nuances to it – and important ones that I see my clients, or at least the folks that are talking to me about this topic, are very focused on.
The first one is that the nature of what information is considered personal information has been modified. As we have evolved from a technology perspective, the things that you may have thought of as being personal information – name, address, marital status, financial information – has been added to take into account your online persona. So, email addresses and things like that that lots of organizations capture is now part of what is considered to be personal information.
So, one of the biggest things that companies are grappling with is, “Gee, what information do I have, and what’s considered personal information?” That, in and of itself, is just a big modification. So, as I go down into that evaluation, they’re getting very surprised that what they indeed have captured, some of them don’t have it classified, so it makes it a little bit more difficult to push forward with and have clarity on what you have and how you’re going to respond to GDPR. Lots of them don’t have retention policies in place, so they’re keeping lots of information they really don’t need – another kind of a no-no, from the GDPR perspective. So, the data issue is predominant, and it’s been heightened because of this addition to what data is being regulated with this online stuff, Kevin.
The other elements about it is, “Am I getting consent?” “Do I have the right structures in place to allow what’s called transparency with GDPR?” You know, tell an individual what information I have about them, allow them to see it and, ultimately, respond to requests for erasure. Those are all things that organizations are very, very focused on today, but the core of it is, “Gee, what’s the data, and what’s regulated? What do I need to be looking at and be careful of?”
Kevin Donahue: Thanks, Cal. I wanted to also dive into one area with you in particular involving all of the different parties and people and titles involved with GDPR. What approach or approaches are these different parties taking, and are there some differences of opinion on how they’re going about it?
Cal Slemp: That’s a fascinating question because, indeed, especially for those in the U.S., a lot of new titles are coming up – government-oriented titles all around data protection. Let me start with the genesis – at least, my view of the genesis – of this. Each of the nations in the European Union, most especially, have had the personal privacy of their citizens as a very, very important factor in how they support their constituencies. For many years, each country has had some authority in place to manage data privacy – and I’m speaking very specifically about the European Union countries now, Kevin. So, the fact that they have these individual country approaches and thoughts, and coupled now with the fact that they are part of this larger organization called the European Union, over time, they have had what is called a data-privacy authority, a DPA, in each individual country managing privacy for that country.
They’ve come together with laws like the European Union Data Directive, which I referred to before, which is from 1996, and now GDPR says, “Hey, look, what we need to do is manage things from a country perspective specific to the needs of our citizens, but collectively, we also need to do this,” and they have essentially taken a high-watermark approach and created what is called the European Data Protection Board, which is made up of the head of each of these country organizations, DPAs, as well as an overseer, if you will, for the European Union called the European Union Data Protection Supervisor.
So, this EDPB, European Data Protection Board, exists to essentially make sure they’re clear on all of the needs of the countries individually and bring that into what is now the regulation with GDPR and, ultimately, use this board as a way to manage the implementation of GDPR worldwide. I hope that answers the question as far as the people in the organization. Lots and lots of people, lots of countries, obviously, with a voice to a European Union board, which then has the voice created for the entire European Union.
Kevin Donahue: Yes, Cal. I thought you covered that very well. Thank you. Last question, as a follow-up to your discussion there, and maybe the board you described is going to cover it, but again, with all these parties in place and what they’re doing, what are they able to do now or trying to do to manage the consistency of application of GDPR?
Cal Slemp: The word that you used, Kevin, consistency, happens to be a word that’s used in the regulation itself, and it is the objective of this board to make sure that this is being applied uniformly. Perhaps I can use an example that may bring this to life, but the essence of the approach is to have each of these country-based supervisors, the data-privacy authorities, be responsible for educating their communities, their citizenry, as to what’s going on and be there in case there are issues, and help adjudicate them. This thought on consistency, though, the European Data Protection Board is there to make sure that if a dispute gets raised, there is a very clear approach to how it’s going to be dealt with, and if there are questions, the board will declare, “Hey, this is the question that came up. Here is the ruling that we have as a board that will be applied by everybody.” That’s called the rule of binding decisions of disputes.
But let me maybe offer an example. If I’m a citizen in France and I have an issue, I can bring that to my French data-protection authority, or I can bring it to the European Union one, and in either case, it will be elevated to the European level, and they will decide, based on a variety of things – like where the person bringing the dispute is from and who the company is that they have the dispute with, where that company is doing their processing. There are a variety of very straightforward ways that are going to be used to ultimately say, “Hey, look, what we’re going to do is create a lead supervisory authority to be the one that helps this dispute get moved through the system.”
So, as an example, if we have an organization, here we said the citizen was in France, the organization their dispute is with is in Sweden but also does business in Poland and Germany and the United States, the board will decide, “Hey” – and I’m making this up in this case – “because the organization does most of the processing in Sweden, we’re going to make them the lead supervisory authority on this dispute. We will allow France, Poland and Greece to be concerned supervisory authorities and watch what’s going on, but the one in Sweden will take the dispute, work it through. If there are any questions, they will leverage the European Data Protection Board and get this clarification or whatever concluded, and then it’ll be applied uniformly throughout the European Union.”
So, those are maybe a lot of words, and, hopefully, a good example, but the point is that there is within the regulation an approach to say, “Hey, here’s how we’re going to organize ourselves. Here’s how we’re going to come to conclusions on what we should do in this regulation. This is the way we will handle disputes. There’s a leadership one, so we reduce any duplication of effort.” Frankly, they eliminate it, and then reinforce the fact that we’re going to consistently apply this throughout the European Union. I hope that makes sense.
Kevin Donahue: That does, Cal. Thanks very much. You’ve provided some great information on what is truly a hot, complex topic, a challenging topic, for organizations. I want to invite our audience to visit Protiviti.com/GDPR, where you can find much more information on the new regulation, including our resource guide, as well as other podcasts in our series.