GDPR Podcast Series: Katie Stevens

podcast

GDPR Podcast Series: Katie Stevens

In this Podcast, Cal Slemp, Protiviti managing director and a leader with Protiviti’s Security and Privacy Practice, talks about about the new General Data Protection Regulation, which has just gone into effect in the European Union.


Protiviti Podcast Transcript Transcript

Kevin
The General Data Protection Regulation has now gone into effect, and it continues to generate many questions and lines of inquiries by organizations and consumers alike. This is Kevin Donahue, a senior director with Protiviti’s marketing group, and I want to welcome you to a new edition of Powerful Insights. I’m pleased to be joined today by Katie Stevens. Katie is an associate director with our security and privacy practice, and we’re going to be talking a little bit about the new GDPR, which has gone into effect in the European Union. Katie, thanks for joining me today.
Katie
Yes, Kevin. Thanks for having me. GDPR is certainly a hot topic these days.
Kevin
It is. Let me get right into it here and ask you something I’ve been talking with others about, which is this – the regulations now gone into effect. I wanted to know, what are you hearing from your clients, different people you’re talking to in the market right now? What are some of the more common challenges or questions that are coming up?
Katie
Yes. Sure, Kevin. I think most of my clients are focused on data-subject rights and, in my opinion, data-subject rights is the most challenging area of the GDPR. Many companies are simply not prepared to handle data on that granular level. Data-subject rights require companies to handle data on the consumer level. As you’re aware, most U.S. companies, at least, they like to hold data, analyze data, so it really creates a significant challenge. Additionally, it is the most visible area to the data-subject population, which means getting this wrong could result in a formal complaint to the authorities. Again, from the overall GDPR standpoint, I think data-subject rights require a significant effort and time for companies to implement. They certainly continue asking questions about that.
Kevin
Katie, I’m really glad you brought that up. Again, we’ve been talking with different leaders and experts about what companies need to do – the different requirements they have, the processes they need to be put in place – but we haven’t talked much about the data subjects themselves. How should a data subject go about exercising their rights under this new regulation?
Katie
That’s an excellent question. It’s interesting. I just came back from Portugal – I went there for a vacation. I was very excited because I had just implemented GDPR and I was going to actually test it in Europe, and I quickly found out that a very small percentage of their population even knows what GDPR is, and they’re certainly not aware of how to execute their rights.
 
First, I think data subjects need to own their privacy, and those who really care about their privacy, they know about the GDPR. There are many avenues on how data subjects learn about a company’s abilities to fulfill their rights. I think also that many data subjects are very well educated, and they know exactly what companies are supposed to be doing. I have some clients where the requests are coming in and we’re learning very sophisticated questions that are coming through, and the request for data-subject rights, such as the right to be forgotten.
Kevin
As a consumer, I’m very curious – how do I ensure that my information is being protected or has been deleted, especially if I request that from a particular company?
Katie
Yes. I think the right to be forgotten has been communicated a little bit unclearly to the rest of the world because the right to be forgotten does not always apply. If you think about banks and industries that are heavily regulated, they can’t just delete all data. Otherwise, companies would be out of business. If anyone can just request deletion of their information, I think we would have a lot of problems in the business world.
 
I think what people need to know is that the right to be forgotten, for example, does have some limitations, because companies do have to retain data to meet regulatory requirements and the processing activity. When you do request your rights to be executed – specifically, the right to be forgotten – you need to make sure that you understand the retention schedules, and the company that you’re requesting from should communicate that to you, and then you can also request evidence or clarity from the company, post the retention schedule if the data was deleted.
 
To really tell you, Kevin, honestly, none of us can ever audit those companies or validate that the data was truly deleted. However, if a breach were to happen and you requested your information to be deleted, then you can potentially sue those companies for damages because they did not correctly fulfill your request. Short answer: We don’t really know, but I think we’re heading in the right direction, and many companies are really working through to make this right for the individual, and it’s really exciting to see that happening in Europe.
Kevin
Katie, I want to thank you very much for joining me today to discuss some of these aspects of the General Data Protection Regulation. For those in our audience interested in additional information, I want to invite you to visit protiviti.com/gdpr, where we have a wealth of insights, as well as more podcasts discussing this complex regulation.
SUBSCRIBE TO PODCASTS:

Ready to work with us?