Cyprus: Post GDPR Era; From Theory To Practice

Even after the General Data Protection Regulation ("GDPR") has become enforceable by data protection authorities on corporations established in (and out of) the European Economic Area ("EEA"), there are still practical implementation challenges that organisations must tackle before they can effectively claim that they can mitigate data privacy related risks that can adversely impact their business case. Practical implementation challenges may arise due to absence of specific implementation guidance from data protection authorities in certain areas and lack of standardisation, amongst other things. It is also true that some organisations did little to comply with the previous Data Protection Directive upon which the GDPR is based.

Where is the data?

A crucial component of any GDPR implementation project is the creation of the Register of Processing Activities ("RoPA"). Despite the fact that, the creation of the RoPA is firstly mandated half way the GDPR text (Article 30), at Deloitte we believe that it is the cornerstone for any GDPR implementation and that RoPAs should be sufficiently detailed and, naturally, GDPR implementation should be data centric. Challenges arise when organisations adopt a "fill in the blanks" approach to fulfil minimum requirements. Whilst this approach may be appropriate to fulfil the requirements set out in article 30 for small organisations operating locally, it may not be appropriate for larger organisations or organisations with a diverse business model and/or internationally expanded group structure. Management decisions should be made and appropriate resource allocation should be effected concerning the methods for data discovery, human resources, records management, collaboration and integration with business processes. We witnessed situations when the solutions implemented may have been developed as part of "a one off" exercise or are not easily maintainable or impede multinational collaboration or are simply inadequate. Bottom line is that stakes are high when factual circumstances differ from what is prescribed in the established records.

Fair, transparent and purposeful processing in the name of law

Simply put, if processing is performed without a lawful purpose which may not be adequately communicated to individuals in a manner that may be impede, in any way, the protection of data subject rights then organisations are looking at the ceiling of GDPR fines. Implementation of the above criteria should be data centric. Posing real dilemmas in layman's terms, an organisation may be concerned, among other things, about whether dynamic IP addresses are treated as personal data, whether it is appropriate to process data concerning criminal records, whether an XYZ EU law defines the purpose for such processing, or whether legitimate interest is sufficient as a lawful basis for direct marketing. In the case of international organisations additional challenges are posed, as to which is the dominant applicable law, when variations between EU member state legislation are observed. GDPR provides solutions that address instances where absence of a lawful basis is observed.

Transparent processing should be applied by disclosing, in sufficient detail and with appropriate methods, all required information to ensure that individuals are appropriately informed, irrespective of the medium used to capture the data subject's information or their source.

Fair processing encompasses the respect of data subject rights. Having in mind that the process of handling data subject right requests may trigger complaints by data subjects, organisations must carefully consider the process, scope, applicability, methods and means to fulfil a data subject right request on a case by case basis.

Our experience in this area revealed that, among other things, wrong lawful bases may be used or insufficiently supported, inadequate application of data subject rights may be applied or insufficient transparency is demonstrated, or that local EU member state laws are ignored in the cases when they may impose stricter requirements. Other issues that we have come across include instances where cessation of processing activities was effected because a lawful basis to support them has not been identified. However, in certain cases the processing activities could have continued if a more diligent research was performed to identify an appropriate legal basis; Legal bases may even exist deep down in the realms of the European Court of Justice decisions.

Data processors are responsible too and the controller should verify this

Processors under GDPR can be considered as a subordinate figure to the controller by being required to processes the personal data "only on documented instructions from the controller". However, processors maintain specific responsibilities which have to be demonstrated to the controller, and the controller needs to ensure that it employs only those vendors who "provide sufficient guarantees" concerning their data protection capabilities. Things get complicated when the processors are large multinational organisations or when they have bargaining power over the controller. The mere establishment of a data processing agreement will simply not qualify when controllers are challenged to demonstrate control over the processors. Variations in the performance of vendor due diligence, contract clauses and the methods that controllers use to verify the technical and organisational measures implemented by the processors are quite common. Controllers often seek to obtain third party assurance reports from the processors in the absence of, the much promised, approved certification mechanisms or codes of conduct. Reluctance is observed when costs have to be borne by either party or when taking a decision to change a processor seems to be the "right thing" to do. Ultimately, the controller maintains responsibility under GDPR and has to decide on whether the risk will be assumed or delegated.

International organisations, transfers and main establishments of controllers

International operations may foster consolidation of administrative processing activities to achieve tax and/or operational efficiencies. Whilst centralization and consolidation may be effective for tax and financial reporting purposes, it may not be appropriate to be used in agreements governing international transfers. Use of the concept of a "main establishment" must be applied with care, as the treatment of the recent €50 million fine imposed on Google revealed that when factual circumstances differ, then the location of the main establishment can be challenged.

Concerning safeguarding of international intra group transfers, as of the date of publication of this article, Binding Corporate Rules ("BCR") were adopted by approximately, 100 international organisations. The time consuming process for having the BCRs approved, has led organisations to look for alternative ways of safeguarding intragroup transfers. International organisations, that apply other safeguards or derogations in ways that reduce administrative costs, especially when not designed properly or used to bypass the adoption of a BCR program, are walking in uncharted territory.

End-to-end risk based data protection

Data protection must be embedded in the existing situation of an organisation covering all processing activities and also be considered during change management in a risk based, consistent, and systematic manner. Sometimes, we observe organisations adopt a "tick the box" approach which is, usually, a byproduct of an exclusively legalistic and siloed approach and which fails to adapt to specific circumstances; in most of these organisations implementation depends much on the intuition of the person performing the activity. Data protection should be applied by design and by default and requires application across the board. Whilst Data Protection shares common elements with the discipline of Information Security, organisations may maintain a clear separation between Data Protection and Information Security because of organisational siloes. Certain Data Protection Authorities published specific guidance and tools which support the Data Protection Impact Assessment process and which clearly promote the application of security measures according to Data Protection criteria. The recent fines imposed on Uber and hospital Centro Hospitalar Barreiro Montijo are good examples of inappropriate or misaligned information security practises.

Should I report it or not?

Treatment of data breaches under GDPR is a major challenge for organisations. GDPR requires disclosure to the supervisory authority and individuals affected, once organisations become aware of a data breach. Organisations face real dilemmas, which often resemble games of Russian roulette. Should an organisation report a data breach that has not been publicly known or should it remain silent? Again, management has to decide whether to assume the risk or mitigate it, by considering the possibility of the breach to be known to others before the organisation reports it. Currently, very few organisations from a global perspective have the organisational maturity to report a data breach before it is exposed to others just because they are confident about the data protection and security measures they implement. Facebook's recent GDPR data breach which affected 50 million users and which followed the Cambridge Analytica breach, is the most prominent example of a data breach disclosure which was reported by an organisation without the data being exposed to others. The impact on Facebook due to its reported data breach will be known when the Irish Data Protection Commissioner completes its investigation which was announced on 3 October 2018. The Irish data protection Authority's decision will definitely influence data breach reporting processes of organisations in scope of GDPR.

The DPO, the most powerful GDPR tool

Appointment of a Data Protection Officer (DPO) is mandatory for certain organisations which fulfil certain criteria under GDPR. Although the skills and competencies that a DPO should possess have not been explicitly determined by the regulators, it is clear that the DPO should possess a well-diversified skillset due to the breadth of coverage of Data Protection matters. The DPO should, among others, demonstrate proficiency in the Data Protection Regulation, Information Security, Risk Management, Audit and Regulatory compliance. The quality and personal attributes of the DPO shape the Data Protection culture in an organisation. The DPO is the person who will speak up when everyone else will stand down on Data Protection matters as well as be the person to be consulted on any matter concerning Data Protection. To achieve this, the DPO should maintain organisational/functional independence and perform his/her duties ethically and free from conflict of interest. Organisations face challenges when inadequate resources are assigned on GDPR implementation. It is quite frequent that the business users easily assume that the DPO is responsible to undertake GDPR implementation. DPOs who undertake tasks which conflict with their supervisory role, run the risk of downplaying the importance of Data Protection and ignore material Data Protection matters thus increasing the risk of the organisation being sanctioned due to infringements of the GDPR.

Concluding remarks

This article touches upon some of the challenges we faced in practice. The only way that these challenges can be successfully dealt with is through the provision of valid, actionable and quality advice and support. Our GDPR client portfolio includes organisations from every industry sector both locally and internationally.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Michael Kyprianou Advocates & Legal Consultants
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Michael Kyprianou Advocates & Legal Consultants
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions