Written by Raymond Faber and Cyril Pierre-Beausse

Published on 22.05.2018 - Paperjam

The first discussions on data protection took place at the Council of Europe in the early 1970s and the first European legislation (Directive 95/46, still in force today) was transposed into Luxembourg law by the law of 2 August 2002.

It was therefore time to modify this legal framework, which was more than 20 years old and no longer really adapted to the use of new technologies and the behavioral habits of "modern men" at the dawn of the 3rd industrial revolution.

Nevertheless, it is astonishing to see to what extent the four letters "G D P R" make people cringe, gnash their teeth, launch passionate discussions (in one direction as in the other), often ill-informed and, in general, based on hearsay or bar-room talk. It is also surprising because the topic of "data protection" is not new at all.

But is this so-called "GDPR" regulation really as revolutionary as we are led to believe in conferences and articles? Is it going to turn everything upside down, change all our "good old habits"? To tell the truth, not really. Except for those who discover in 2018 the existence of the law of August 2, 2002! And apparently, there would be some of them...

Pour tous les autres (il y en a aussi…), l’esprit des dispositions légales de GDPR ne change pas fondamentalement de la directive 95/46, car les grands principes de la protection des données demeurent. Voilà une bonne nouvelle. De plus, l’ancien régime quelque peu contraignant des demandes d’autorisations/notifications à la Commission nationale de la protection des données (CNPD) va disparaître pour de bon. Voilà une très bonne nouvelle!

League change - data protection must become part of corporate governance

Gone are the days when a designated (punished?) person (lawyer, compliance...) spent long hours filling in notification/authorization forms for the CNPD. Today, with GDPR, and this is undoubtedly the major innovation of the regulation, every organization (private and public sector alike) must be able to demonstrate that it knows how to manage and secure the personal data it has to process on a day-to-day basis for its activity. Suddenly, all employees, but also boards of directors, management and shareholders, are directly concerned. That was the goal. This is where the famous GDPR-required register of processing activities comes into play, which every organization must set up internally in order to be able to show their credentials the day the CNPD agents pay them a (surprise?) visit, either on their own initiative or on the basis of a complaint filed against their organization.

The European regulation means legal obligations for some, increased rights for concerned individuals, but it also means "data security". Indeed, this aspect, often neglected or forgotten..., is crucial in the GDPR compliance approach. A recurring observation at the European level is that data security remains the enfant terrible in the world of new technologies. Against the backdrop of national and international news stories about all kinds of data breaches, leaks, thefts or losses, the European legislator has given an important part to the obligations related to data security in the regulation. Information security (physical and IT) must therefore be dealt with in parallel with the compliance of legal or contractual aspects.

The examplary, the latecomers and the refractory

In the face of this fundamental shift in approach, making data protection an integral part of corporate culture, the levels of enthusiasm are quite uneven. While the regulation was passed in the European Parliament on April 14, 2016, after four years of negotiations and several thousand amendments, few organizations have since gone overboard with GDPR compliance.

Two years on and three days before GDPR comes into force, the landscape of affected organizations is very clearly divided into three categories: the exemplars, those who started on time with their compliance exercise and gave themselves the means to be ready for May 25, 2018. Then there are the laggards, those who woke up in the last six months, often because of commercial pressure from their customers, but often also because of a lack of precise information on the practical approach to adopt. The latter are legion and, now that they have understood what is at stake, they tend to panic a little as the fateful date approaches. However, they can be reassured, because the important thing is to have started the exercise, not to delay and to show good will. Finally, there are still many who are reluctant to comply with the GDPR, because they believe, for reasons that are often obscure, that GDPR does not concern them, because, for example, "yes", they process personal data, but these data are not sensitive, and therefore it is not for them...

It is obviously still too early to put away the pilgrim's staff!