Ensuring data privacy in a post-GDPR compliance deadline world: A meeting of the DPTF in Oslo
Wednesday 27 June 2018
Posted by: Michele Lalic
The ETIS Data Privacy Task Force (DPTF) gathered from June 21 to 22 for their second meeting of the year, which was kindly hosted by Telenor at their headquarters just outside of Oslo.
The objective of the Data Privacy Task force (DPTF) is to share experiences related to data privacy and the implementation of regulations such as GDPR and e-Privacy. Participating Members explore common interest areas and determine best practices.
As the first meeting after the May 25th GDPR compliance deadline, it kicked-off with each of the participants discussing the major challenges and organizational changes that have been implemented in order to ensure that their respective companies were compliant. Over the course of the discussions a common theme emerged of the need to re-structure certain processes both within their departments as well as in others.
Undertaking this project to become GDPR-ready has also resulted in an increase in maturity in areas such as security and communicating with their customers as well as employees. As an interesting benchmark, each participant also shared the amount of data subject access requests they have received both prior to and after May 25th.
One highlight of the meeting was the session on data breaches and communicating with your local Data Privacy Authority. In a roundtable discussion, each of the participants discussed the cases of data breaches they’ve had over the past year and the reporting experiences they’ve had with their DPAs. A debate ensued concerning exactly when the 72 hours given to notify begins. Is this when the processor detects the breach? When the processor sends the email? Taking a more interactive approach, a few of the participants demonstrated the procedures they must follow to report the breach by taking the participants through the web portal of their respective DPAs. Other participants presented the data privacy section of their intranets and explained how they approached the task of employee privacy implementation and procedures. Retention periods were discussed for various human resource materials as well as what exactly is considered personal data and the legal basis on which it is processed.
The meeting ended with a discussion on the fact that many of their companies have complex scenarios where the simple definitions of controller, joint controller and processor do not solve their challenges. Moreover, the authorities and courts will consider the factual situation when making a determination in the relationship, even if the parties involved agreed differently. It was agreed that what is crucial to making this determination internally are the essential elements of the processing – the scope: what data elements are shared or processed, whether the data can be shared by other parties and how long they are being kept.
If you would like to know more about the group and its activities, please visit the Data Privacy Task Force page or contact us.
ETIS members can access the presentations and materials on the Members Corner of the ETIS website and on ETIS' Yammer Network.
ETIS is the trusted community for telecom professionals. Our goal is to enable our members to reach their strategic objectives and to improve their business performance by sharing knowledge on industry challenges and by collaborating where possible.
For more information on ETIS or how to join our activities, please visit our website at www.etis.org or contact us.