Interview with Michael Kamps, CMS Hasche Sigle
Michael Kamps is working as Lawyer at CMS Hasche Sigle, one of Germany’s leading commercial law firms, and will be speaking at the Privacy Conference. In our interview, he lays out the biggest challenges when implementing the GDPR in organisations.
What is the biggest change for you in the new EU data protection framework?
Having advised clients with respect to the comparable strict German data protection laws for quite a number of years, a variety of GDPR elements appears quite familiar to us. However, the accountability requirement is one of the key changes with significant direct and indirect impact for any data protection organisation.
It needs to be taken into account in essentially any module of GDPR implementation projects to ensure that a controller is able to demonstrate its compliance with GDPR requirements at any time. In practice, the accountability regime requires a more extensive documentation of internal approaches, decisions and processes on an ongoing basis.
What GDPR topic requires the biggest efforts or most resources for implementation?
We see some effort-consuming GDPR topics, one of which surely is the record of processing activities. It is the core element of any GDPR implementation project and future data protection compliance management system. The record of processing activities will, in practice, go beyond the essential requirements in Article 30 GDPR to ensure that transparency obligations – such as the mandatory information to data subjects – or data subject requests can be met.
Depending on the current level of internal documentation, the setup of a GDPR compliant record of processing activities regularly requires significant time, effort and resources from a large group of stakeholders within a controller's organisation. In addition, time is of the essence in this respect, as certain relevant legal follow-up assessments require a solid factual basis in form of the record of processing activities.
From a technical perspective, the new right to data portability as well as the right to a copy of personal data as part of data subject's access right frequently requires significant implementation effort.
What privacy topics need to be discussed in the future?
Taking into account the ever increasing amount of data available for analysis and further processing from various sources, the qualification of "personal data" (including reliable means for anonymization) will need ongoing attention in the future. If virtually all available data are considered as "personal data" in any case, the established concept of data protection law may become a victim of its own success.
At the same time, I am convinced that challenging the frequent perception of data protection law as "regulatory roadblock" could be beneficial. It may turn out that the protection of data subject's rights under data protection law is far more connected to the overall acceptance of new data-driven business concepts, services and products (including IoT and Big Data) than generally assumed.
Such approach may be part of a larger social discussion – possibly also driven by an increasing number of actual or alleged data breaches, leading to a broader and more specific awareness for possible risks connected with the ongoing digitization.
What are you looking forward to at the Privacy Conference?
I am looking forward to meeting colleagues and privacy professionals to share ideas, concepts and approaches in handling the challenges of the GDPR and how to cope with the uncertainty regarding the ePrivacy regulation. The last Privacy Conferences have provided insight and inspiration, and I am confident that this will also be the case this year.