On Monday 29 January 2018, a Data Privacy Day information session was held at the University of Luxembourg. It was attended by more than 100 visitors, who originated not only from the University and the Restena Foundation but also from other research institutions and other sectors.

How to become GDPR compliant for 25 May 2018

#DataPrivacyDay at #uni_lu! https://t.co/VhnRKhJG5O

— uni.lu (@uni_lu) January 29, 2018

After a warm welcome by the president of the University of Luxembourg, Prof. Stéphane Pallage, the Data Protection Officer of the University of Luxembourg, Dr Sandrine Munoz, gave a summary of the upcoming changes in the General Data Protection Regulation (GDPR). She focussed on the key factors to be prepared for GDPR compliancy in terms of processing of personal data identification, documentation, organisation of processes, accountability and risk management. As suggested by the Commission nationale pour la protection des données (CNPD) she presented seven steps to be prepared:

1. be informed about the upcoming changes;
2. identify your processing of personal data;
3. appoint a Data Protection Officer;
4. develop an action plan;
5. identify and manage risks;
6. organise internal processes;
7. document your compliancy.

In the discussion after this presentation, members of the audience expressed their concern about the impact of the European Regulation on research projects and national laws in the pipeline. In response to that, experts underlined that GDPR foresees the possibility for derogations for data subject rights in national laws for scientific, historical or statistical research projects, if rights impair the research. These derogations are defined in the Luxembourg Project of Bill 7184 for research programmes, and it is required that researchers implement appropriate safeguards such as pseudonymisation, data management plan to safeguard data subjects’ rights.

On the side of Information Security, the speakers Dr Cynthia Wagner from the Foundation Restena and Christian Hutter, Chief Information Security Officer from the University of Luxembourg, provided practical examples of privacy risks and information security threats.

Compliance monitoring by the CNPD

The presentation by Michel Sinner, Head of controls at CNPD, was closely followed and the detailed practical steps to be prepared for a CNPD control of compliance were highly appreciated. In the questions and answers section, the audience was concerned by the approach of the Commission in relation with the sanctions in case of failure to comply with the GDPR.

The CNPD representative explained that, even though compliance to the GDPR will be mandatory by 25 May, the initial focus of the CNDP will be more on supporting the controllers to improve their compliancy and encourage them to fully collaborate and being transparent then hitting them with high sanctions.

Improving information security

Moreover, speakers also introduced attendees to different aspects of and threads to information security:

• phishing;
• mailsploit;
• social engineering;
• security impact with misconfigured printers and other devices reachable from the internet.

At the end of the event the director of the Foundation Restena, Gilles Massen, reminded in his closing words everyone that GDPR should not only be seen as a burden for organisations but also as a chance for the privacy and protection of European citizens enabling new opportunities for Europe.
- - -
Provide feedback and ideas: In order to organise new sessions for Data Privacy Day next year, we would be grateful if attendees could fill out our survey.