Home // SnT // News & E... // One month until the GDPR - what themes are emerging?

One month until the GDPR - what themes are emerging?

twitter linkedin facebook email this page
Published on Friday, 27 April 2018

This is it. We are now officially less than a month away from the application of the new European General Data Protection Regulation, or GDPR, on May 25. In the last few months, the acronym has been on everyone’s lips, and with good reason, given that the Regulation has a comprehensive impact on companies and their business practices. 

The ubiquitous learning opportunities of the last six months – from webinars and meetups to workshops and conferences – have shown that adjusting to the GDPR is anything but easy. Against this backdrop, the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT), in collaboration with the law firm Stibbe and the University’s Faculty of Law, Economics and Finance (FDEF) set up the “IT Governance and GDPR” roundtable debate series. Professionals from across business and public organisations gathered monthly to discuss some of the key challenges posed by the Regulation and how to tackle them.

SnT’s Dr. Andra Giurgiu and Stibbe’s Erik Valgaeren led the discussion and invited experts in ICT and law to comment on the key legal and technical points. Looking back on the series, the first conclusion is that many questions are still open. The GDPR is still unclear on many points, ensuring that compliance with the Regulation will remain an ongoing discussion well beyond 25 May. Nevertheless, some aspects have emerged very clearly:

  • The GDPR has a significant impact and needs to be embedded into new and existing IT contracts; particular attention needs to be paid to the role of the contracting parties, the rights of the data subjects, security and confidentiality, data protection by design and by default, data restitution, audit and inspection, data processing registers, data breaches and liability.
  • For Big Data projects efficient and pragmatic privacy policies, respecting the fundamental principles of the GDPR – data minimisation, purpose and storage limitation - need to be drafted; the new and updated rights of the data subjects must also be taken into account and embedded into these policies.
  • The importance of adequate security is enhanced under the GDPR; additionally, a breach notification and incident management procedure is essential for complying with the Regulation.
  • The Regulation sets up more mechanisms for international transfers of personal data; however, in practice, determining which exact solution a company can use is complicated, especially given the legal uncertainty surrounding the future of certain transfer mechanisms.

Happily, the discussions showed that stakeholders, whether from the public or private sector, want to be a part of and continue the dialogue regarding GDPR compliance. The Roundtable Debates provided a valuable opportunity for professionals across sectors to share their problems and solutions. Our final session, “GDPR and new technologies”, underlined the fact that compliance requires a comprehensive approach to data governance. There is no magic bullet, and lawyers and IT need to work together towards setting up robust solutions. It also became clear that applying the GDPR to new, disruptive technologies like blockchain, artificial intelligence or the internet of things is and will remain an ongoing challenge that calls for interdisciplinary teamwork to reconcile the key characteristics of data driven technologies with the principles of the GDPR.

Our sessions:

14 December 2017: Legal Solutions: how to accommodate the GDPR challenges in your IT contracts

11 January 2018: Big data projects: how to draft efficient and pragmatic privacy policies?

7 February 2018: Help me, I’m hacked – incident management and GDPR governance

7 March 2018: International Data Transfers

11 April Wild Card topic: GDPR and new technologies