Interview with Paul Breitbarth, Nymity
Paul Breitbarth joined Nymity in 2016 as Director of EU Certification Research and Senior Solutions Advisor and will speak at this year's Privacy Conference. In our interview, he weighs in on the biggest challenges posed by the GDPR and what privacy topics need to be discussed in the future.
What is the biggest change for you in the new EU data protection framework?
Paul Breitbart: In general, I see that a lot of organisations are struggling with their overall approach to the GDPR. Not only do they need to revisit their current data protection policies and procedures, but they also need to make sure they have the documentation to demonstrate compliance.
That makes that for me, the accountability requirement is the biggest change: organisations will really need to make an effort to be able to show they are compliant on an ongoing basis.
What GDPR topic requires the biggest efforts or most resources for implementation?
One of the biggest efforts will surely be to complete the records of processing activities register. Organisations will need to make an inventory of all their data processing operations, and record the key elements in an internal register. That register should be available to the supervisory authority upon request, for example when they visit for an inquiry or inspection.
At the same time, it is an important project to undertake: once you have your basic inventory done, it will be easier to maintain and will also allow you to deal in a more effective and efficient way with data subject requests, like the requests for correction or deletion.
What privacy topics need to be discussed in the future?
Two topics spring to mind. First of all, the use of various grounds for processing. Many organisations still rely heavily on consent, whereas that is not always the best, nor a workable ground for processing looking at all elements that are required to demonstrate valid consent. The second topic is data transfers from the EU to third countries.
The European courts have clearly raised the bar for what personal data can and can’t be transferred and how third countries’ legislation needs to be assessed. At the same time, international data transfers are a vital part of today’s economy, so a workable solution will need to be found. Maybe the option to transfer data on the basis of certification, that the GDPR offers, could be a viable way out.
What are you looking forward to at the Privacy Conference?
I look forward to hearing more about the challenges organisations are facing when dealing with the GDPR, and maybe already with ePrivacy as well. Of course I will listen carefully for issues where Nymity could offer support, but also other challenges are of interest to me.
In the end, GDPR implementation is not so much about meeting specific legal requirements, but about ensuring personal data of employees and customers are given a high level of protection and about organisations developing a privacy-friendly corporate culture. If that can indeed be part of the discussion, the Privacy Conference will be even better.