On December 6, Snow joined forces with experts from Deloitte to help organizations around the world prepare for the introduction of The General Data Protection Regulation (GDPR) in May 2018. You can view an on-demand version of the webinar here.
With more than 30 questions submitted by the live audience, there simply wasn’t time to answer them all on the day.
So we’ve taken a selection of the questions posed and answered them below with the help of Dr Ljuba Kerschhoffer-Wallner, resident GDPR expert at Deloitte.
For more information on how Snow and Deloitte have joined forces to help organizations like yours prepare for GDPR, contact us today.
General GDPR Questions
Q: We only store business emails, addresses and contact numbers. Does this require the same level of the GDPR as personal information?
A: YES. Any kind of information stored about individuals that allows them to be personally identified is covered by the GDPR legislation.
Q: How can we balance the obligations of GDPR against the privacy rights of our employees?
A: The GDPR does not require organizations to read or analyze the content of mails, etc. In contrast, the GDPR requires that you set up measures to protect this data, e.g. by using IT appropriate security measures.
Q: Would it also be prudent, when trying to get to a GDPR-ready state, to document exceptions for the entity, future plans and budgets for compliance control activities, and compensating controls?
A: Documenting your approach shows that you have a plan and are willing to implement the GDPR regulation. Therefore, this is a good action.
Q: Will the GDPR be applied consistently across the EU, or is there any regional variation?
A: The general principles of the GDPR apply to all EU countries in the same way, but the GDPR provides certain opening clauses that already are (or will be) concreted by national legislations (for example, concerning the manifestation of penalties).
Q: Do public sector/ authorities also have to comply with the GDPR? Are they also at risk for data misuse?
A: YES. Public organizations also have to comply with the GDPR and are at risk for failure to comply.
The GDPR outside the European Union
Q: Will the GDPR impact UK customers’ data since the UK will no longer be part of the EU?
A: For as long as UK is still part of the EU, GDPR is applicable. Upon Brexit, it is expected that all prevailing EU law will become UK law (at least in the short-term) which will mean that UK customers will continue to be afforded the same rights.
Q: We are in automotive sales and retails in the UAE. If EU customers share their information (while booking car we collect personal information) with us, do we need to comply with the GDPR obligations?
A: YES. The GDPR applies to any (personal data processing) organization that provides services or products to people located within the EU, no matter where the processing actually takes place.
Financial risks & implications
Q: Could you share any information in terms of potential financial risks if not GDPR compliant?
A: The maximum penalty on GDPR incompliance, especially concerning violations against the most fundamental principles such as the data subject rights is up to €20 million or 4% of the offending organization’s total annual turnover, whichever is higher. Manifestations of penalties are dependent on the responsible Data Protection Authority and will become more transparent by precedence cases in 2018.
Q: Is the GDPR compliance going to be audited on a regular schedule or is it "self-reporting"?
A: Audits can be conducted by national Data Protection Authorities or their sub-contractors. In general, audits are expected to be prompted when organizations are suspected for being in non-compliance (published security breaches, for example).
Q: Is "erasure" equal "to make unrecognizable" when it comes to backing-up records?
A: NO. These are different as described by Article 18 of GDPR. [link]
Q: What do you know about the aspects and priorities that inspectors undertake during the "audit" so far?
A: It is likely (but not yet certain) that regulators in different countries will have varying approaches to audits. There is some logic to suggest that regulators will continue to use existing audit practices in the short term, where they already exist.
The GDPR and the Snow platform
Q: Will the GDPR reports in Snow be made available as standard or is it an additional module?
A: The GDPR reports are a separate chargeable data stream alongside the existing Software Recognition Service.
Q: Is there a special Snow GDPR product? How will this work? Do we need special server resources?
A: The GDPR solution is a data service and does not require extra modules to be installed or any additional server resources.
Q: When will the Snow for GDPR module be available to start using for Snow Service Providers?
A: Snow GDPR Risk Assessment is available to both Snow customers and accredited partners today.