Fear, fines and an outbreak of fever – GDPR enters into force
Fritz, you have been dealing with information security and data protection at Unic for years. How did you perceive the first three months after the entry of the new EU General Data Protection Regulation (GDPR) into force?
Fritz von Allmen: I noticed a lot of paperwork and uncertainty (laughs). GDPR has meant – and still does – much effort for many enterprises. At the same time, there remains great uncertainty and some questions to which the Regulation provides no answer.
Although this is a EU Regulation and it applies to Swiss enterprises only under certain conditions, the response was very strong. Efforts were made worldwide to adjust websites and web shops to the new requirements. The fear of possible fines was sometimes so great that operators decided to close whole forums, shut down websites or deny access to EU users.
Did GDPR came as a surprise to Unic?
It wasn’t a surprise but, just like many others, we began thinking about how to handle it and what should be adjusted a bit late. The two years of the transition period between the adoption of the law and its entry into force would have been sufficient but data protection was not given enough priority. This oversight may explain the fever that broke out just before 25 may 2018, the day the GDPR entered into force. In retrospect, this waiting paid off for us, though. At that time also the media talked about GDPR a lot. This way it was easier to make our employees sensitive to this issue than if we had started two years earlier.
Since then I have conducted many good talks on this topic. The awareness has definitely increased among the employees. We spent much time to create the necessary roles, clarify the responsibilities and adjust non-compliant processing processes.
Transparency in the documentation process
What is the status quo three months after GDPR entered into force in your opinion? What is on our and our customers’ mind at present?
It’s more peaceful three months after GDPR entered into force – even too peaceful, I think. In my view, the greatest value of GDPR is that people actually are aware of the issue of data protection. Not only web and IT specialists but the whole society. I hope that the interest in this topic will not fade away. At least it became clear that data protection must be regarded also as a part of business transformation.
GDPR has led both us as service providers and our customers to examine carefully what personal data are processed in the systems and for what purposes. In my opinion, only few enterprises have documented their processes so precisely to know conclusively:
- where personal data, for example IP addresses, are collected and stored,
- how long these data are stored,
- what purpose they involve,
- whether the user was sufficiently informed,
- whether the data are transferred to a third party, etc.
The records of processing activities required by the Regulation provide the necessary transparency of these processes.
I can still sense considerable uncertainty among our customers. They have straightforward questions; for example, if they have to adjust their tracking procedures or if their e-mail marketing is in compliance with the Regulation.
Can you estimate when and how this uncertainty will diminish?
It’s difficult to tell. Unfortunately, there are still many unclear spots. There are hardly any groundbreaking court decisions based on GDPR. A review of the ePrivacy Directive would make things clearer. However, we shouldn’t count on its adoption before 2020. What’s more, it may take one to three years before it enters into force. Also the general revision of the Swiss Data Protection Act drags on. A version for consultations was ready at the end of last year. But also here the legislator is stepping on the the brakes and delaying the revision. Although the issue is expedited from a regulatory perspective, it is also obstructed at the same time.
Data protection – a service for customers
What do you wish for the future with regard to data protection?
The solutions and products on the market must catch up and support the operators which apply them in the implementation of GDPR. So, for example, Google included options to set the data storage period in the popular Google Analytics and Google Tag Manager. Tools should contain increasingly more technical measures (e.g. encryption) to support data protection. Options for data anonymisation, settings and configurations for the period of data storage as well as methods to get the data subject’s consent and record it with the possibility to revise it must be available.
What is your progress with the implementation as the data protection officer at Unic?
I often come across declarations of companies which guarantee that they are absolutely GDPR-compliant. I find such statements a bit difficult, this is not our goal. I see data protection not as an ultimate state but as a way to respect the fundamental rights of digital citizens and to act in their interest. The adjustments are never finished but are a part of a continuous transformation.
Thanks to the ISO 27001:2013 certification Unic had a favourable background. We have already implemented many things required by the Regulation in the area of information security (keyword: technical and organisational measures). As a digital agency, we are interested in achieving a very high degree of protection of our customers’ data regardless of the legislator. However, based on GDPR we had to adjust our data protection statements, check our processing processes, conclude data processing outsourcing agreements and make our employees even more sensitive.
What is your advice as regards data protection?
I believe that data protection is a service for the customer. Companies should try to fulfil the regulatory requirements such as GDPR and ePrivacy – but the focus should be on customers’ interests. Users don’t want to click through endless cookie banners (even less so if they don’t offer any real decision options). While using social platforms they don’t want to fear that they are observed and followed and that their data are misused. Neither they want to disclose much information about themselves unnecessarily nor you want to collect data twice when they are forwarded from the doctor to a healthcare facility. I think that it’s more reasonable to take the point of view of customers and users than to browse through the laws.