GDPR Podcast Series: Walter Cashion

podcast

GDPR Podcast Series: Walter Cashion

In this Podcast, Michael Walter and Kyle Cashion talk about about the new General Data Protection Regulation, which has just gone into effect in the European Union.


Protiviti Podcast Transcript Transcript

Kevin
Hello, this is Kevin Donahue, a senior director with Protiviti’s Marketing group, welcoming you to a new addition of Powerful Insights. I’m pleased to be talking today with Michael Walter and Kyle Cashion regarding the new General Data Protection Regulation, which has gone into effect in the European Union. Michael is a managing director and a leader with Protiviti’s Security and Privacy Practise, while Kyle is a senior consultant with our Security and Privacy group. Michael, thanks for joining me today.
Michael
Thank you.
Kevin
Kyle, it’s great to speak with you as well.
Kyle
Yes, absolutely, Kevin. Thanks for having us.
Kevin
So, Michael, let me toss the first question on this to you. We’re talking today about the new General Data Protection Regulation, which has gone into effect in the European Union. Tell me a little bit about what you’re hearing so far from your clients in the market in general about the regulation. What are some of the biggest challenges you’re hearing that companies face so far – maybe some of the most common questions that they have?
Michael
Sure, I’d be happy to do so. As we all know, the May 25 deadline has come and gone. Now, I think there are kind of three types of discussions that we’re having. For some clients, they weren’t able to get fully GDPR compliance by the May 25 deadline, and so they put a project plan together and got the most high-priority items. In that situation, we’re working with clients to say, “Let’s make sure we do everything in the project plan in order to become GDPR-compliant.”
 
Second, part of GDPR, once you’re compliant, there needs to be continuous monitoring of your compliance programme for GDPR compliance, and we’re having a lot of discussions with clients about “How do you do that monitoring?” and “How do we monitor the controls within our GDPR compliance programme?” Then last, there is additional guidance that’s being provided by the authorities and regulators in the EU, and as they publish guidance, we’re reviewing that and having discussion with our clients about how to interpret that guidance and what work efforts, if any, are needed.
Kevin
Kyle, what about you? What are you hearing so far from some of your clients – questions that they’re asking and so forth?
Kyle
I think that’s a very good question. It’s scattered. Some of them are more specific than the items that Michael mentioned, but I would say generally, most clients fall into one of those three buckets. Some of the more specific questions that I hear are common for clients are, “How do we update and maintain our record of processing activities year over year? How have data-subject requests start to come in? What types of processes, procedures and policies do we need to have in place to support those types of questions being asked?” Then, in a deeper view when complaints are filed, “What are the actions that we need to take if that is the case?” I would say generally, they fall into those three buckets that Michael mentioned earlier, but those are some of the specific questions that I see and hear from clients recurring.
Kevin
Thanks, Kyle. Michael, let me ask you this also. We’ve been hearing a lot about what companies need to do, some of the different steps they need to take and how they go about compliance. I want to ask you a little bit about the flip side of that, which would be the potential penalties they’re facing, different remedies they may have to take and how they ought to address complaints from data subjects. First off on that count, what sort of liabilities are they facing if they are not fully compliant with GDPR?
Michael
As we all know, there are some hefty fines that are in place for noncompliance with GDPR, but I think we’re still waiting to see how that all plays out. The EU regulators have been pretty clear that they have a past history where for privacy violations, they haven’t had a default position of assessing maximum fines. They said that they are going to continue that trend where any fines or any issues that they levy against companies, it should fit the crime, essentially, or it should fit the violation. I think we’re all going to start to look over the next three, six and 12 months as to what that looks like and what the regulators are doing when they find companies that are not complaint with the GDPR.
Kevin
Kyle, I know under GDPR there are these categories of entities ­– data controllers and data processors. Should these different groups fear administrative fines and penalties under the regulation?
Kyle
Well, I don’t think that organisations should fear administrative fines or penalties under the GDPR, as I don’t think that the regulation is meant to be malicious. I don’t think that you’ll see regulators banging down doors or anything of that nature, but if there are areas of negligence or areas where there is not full compliance, then the regulators will be tasked with imposing those fines and penalties against organisations. I think both processors and controllers need to take the regulation seriously and do their best to comply from front to back, but I think this is not a one-and-done situation either. As Michael mentioned on your previous question, this is an ongoing regulation that needs to be complied with, and as there are changes made, organisations need to be aware of those changes so that they can fill gaps, if there are gaps, within their current compliance efforts.
Kevin
Michael and Kyle, I want to thank you very much for joining me today to discuss some of the different aspects of GDPR, which has now gone into effect. I want to invite our audience to visit protiviti.com/gdpr, where you can find much more information on this new regulation.
SUBSCRIBE TO PODCASTS: