Paramita: Hello and welcome to PwC Luxembourg TechTalk. On today's episode we have Frédéric Vonner, our GDPR and data privacy expert. Stay tuned for a very interesting conversation.
P: Hello. Hi Fred. Welcome to TechTalk. Thank you so much for being here.
Frédéric: My pleasure.
P: Today we will talk about something that we have been talking about quite a lot lately. You know the famous GDPR and how we are doing. What is GDPR, Fred tell me, what is it?
F: OK so GDPR stands for the EU General Data Protection Regulation. It's an EU regulation that came into application last year in May. And it aims at reaching two objectives. First objective is to give back to us as citizens the power and the authority on our data. And second objective of the regulation is to ease and free the movement of personal data across Europe. I must say that for the time being it's mostly the first objective that has been looked at. How do we protect personal data? What is a personal data? What personal data do we use? And so on so forth. And companies in my view have been less looking at the second objective which is still an interesting one to tackle.
P: OK. Now coming to the first objective, you said that it's about giving us the power back.
I know you didn't want to talk a lot about history but I'm going there.
Why did we start giving up that power? Why is probably too broad a question but when did we start giving up that power?
F: Well so when and why… two interesting questions. Why? I think it's because of the miseducation of us, people, citizens as to the data we produce, the data we give away and how data is used by companies. I'm sure that – and I am the first one to be in that position - I'm sure that nobody knows exactly what data is generated, processed, transferred to whom simply on a mobile phone.
P: That's scary.
F: That's scary. So that’s for the “why”. Basically we produce data even if you just buy something online or if you buy something with your credit card that gives to potential people a massive amount of information as to what are your preferences, where you live, if you have kids, if you buy Pampers for example. So there is a lot of information that can be retrieved out of that data and used for commercial purposes
The when… I think it came with time. We have to think back at the first EU regulation on data privacy that dates back from the 80s. At the time there was no Google, there was no Amazon, there was no Facebook, there was no Apple. All the world we live in today that looks like a given was completely different. And the regulator from an EU standpoint saw the need to put some order in the house not necessarily to regulate but put some order in the house and to push people and companies to be more aware about what data they have, what data they process, what do they do with it and so on and so forth.
P: OK so that is how at least we started paying attention...
F: Correct. Plus there have been a number of scandals or issues, Cambridge Analytica for example. Bt it's one amongst many and that triggered a lot of attention from both the authorities and the public and thus the need to evolve in terms of regulations and to best understand basically what are the rules of the game if someone wants to play with data.
P: OK so was it first Europe that actually started thinking about it or has the world, the entire world been thinking about this?
F: It has been first Europe which makes Europe for the time being the most advanced regulation to protect consumers on the use of their personal data. But what we see is that worldwide there is a move towards more attention being given to data privacy, data protection when it comes to personal data.
So that you have certain countries that are looking at enforcing or have enforced regulations that are very close to GDPR. So GDPR sets the appropriate level in terms of protection. Even in the US you have certain states like California that are looking at enforcing a similar regulation as GDPR. So yes Europe has been at the forefront in revamping the regulatory framework but it's very closely monitored and looked at by other countries worldwide.
P: And what would you say is it working, GDPR? What's the current state?
F: I think it will work. It will work because for the time being I think that a lot of companies have been doing what I tend to call a “papering exercise” when it comes to the way they process data which means that we all received back in May last year tons of e-mails from companies saying “by the way we process your data and this is the data we have on you…” and some companies asking for your consent to continue using the data or saying if you don't agree we will not be able to provide you with a newsletter service or whatsoever.
So there's been a massive amount of communication done to the public yet I'm not sure that all companies out there have reorganized themselves internally so that their own internal processes are still compliant with the regulation. There is a requirement for example of what is called data retention. It’s how long someone can keep data and in what form. And when we discuss with companies when we see how companies are managing data, quite a number of them are not up to speed or at the appropriate level at least when it comes to making sure that they keep data only for the duration that they are allowed to. So that's an example. So I think it's more compliance with GDPR and with data privacy or data protection is more a journey than something than a one shot approach.
P: OK we'll come back to how businesses are coping with GDPR. And I know you've talked about the difference between GDPR and data protection and data privacy. But I'm going to ask you a very naive question. Some months back right after we started talking about GDPR we were having this discussion with some of my colleagues and one of them he said “so what that our data is being used. We are living in a world right now that we created. And we are the ones who are giving out our data and we cannot escape it. It is the way it's going to be…” So, so what? Why do we have to care?
F: Just give me one second to give you an example. There’s been a case in the States where, I think it's MasterCard the credit card provider, who were selling data to Amazon for Amazon to resell information to its own clients, for the end clients, so the companies selling goods and services on Amazon, to measure the effectiveness of marketing campaign. So basically when you were paying or buying a product with your MasterCard, the data was used at the end of the day to measure the effectiveness of the marketing campaign of the companies selling you the product. My view is that when I pay something with my credit card I don't expect my data of my purchases to be used by anybody else than my bank or whoever is processing the payment that's it.
So to come back to the “so what”, I think we have, as individuals, a certain understanding and the capacity to understand what our data is used for. But the actual usage of the data and the actual monetization of data goes far beyond what we can have in mind and what we can think of.
P: That is the thing because when we ask this question “so what” I think what that reveals is the kind of the naiveté that we have because we don't know how our data is being used.
I mean I'll give an example because just a couple of weeks back we all were talking about this 10-year-challenge. I don't know whether you saw on Instagram… you know the #10-year-challenge.
F: I didn't post any picture.
P: That is why you are our GDPR expert.
Even I… I am not a very big social media person. I mean I post every now and then but I fell into the “trap”, if you can call it a trap, because later on I read this very interesting article about how Facebook or companies like that - when you post a picture from 10 years before and now - they talked about facial recognition and how you’re aging and about how that will affect your insurance and it is absolutely mind boggling.
F: Yeah. And we don't we don't think about that. Yeah we don't thing how the information, the data we post for our friends basically can be used by somebody else for another purpose. I'm sure that you have already seen on certain websites when you want to sign or to click to validate something you have to confirm that you're not a robot. And you have those squares appearing with a question whether you see a car or whatsoever. So it's not about personal data per say but those techniques are used also to train artificial intelligence. So basically when you click on those boxes you provide a service to a company to train its internal artificial intelligence system. And that's a service you provide for free.
P: Oh my God. I'm speechless.
F: I can see that… So to come back to the “so what”… I think there's a lot of situations and much more than what we can think of where our data is used in a way that we don't know. That we simply don't know.
P: And can we do something about it? Because otherwise how… I mean we can talk about GDPR, we can talk about data privacy but what about the masses? I mean we know because we are talking about it, we're reading about it. Is there a way to educate people about that? About how our data is being used constantly?
F: I think in my view education as you say but from a very early age. I have a niece who is 10 years old and she's on Facebook. I'm not sure that she really understands what it means to be on Facebook, that things posted on it can be used by somebody else in 20 years’ time to check whether she will be appropriate for a job for example. Same for with all the information that we create and the data that we create. If you have a smartwatch, it's good to be able to show to your insurance companies that you walk a lot and that you do sports because it's registered by the smartwatch. But will that data only be used at your advantage or will the data also be used for another purpose which you might not be aware of. So all in all my view is that we have to be cautious as to the information we give away. And education is key.
And I think it's also about being a bit critical. If you go on websites and you want to subscribe to a newsletter why should you give your name, first name, residence, marital status whatsoever whereas the only information that the company needs to send you the newsletter is an email address. I think it's about being also to have that mindset of being critical towards the data that you give away.
P: OK. So now let's come back to businesses. Why should businesses care about GDPR. All types of businesses…
P: I think there are two main reasons. So I will first talk about GDPR. And then we can expand to data privacy and data protection. I think there are two main reasons for which companies whatever the size need to care about GDPR. The first one is there is a high level of sanctions that can be imposed on companies not complying with regulation. That is the CNPD in Luxembourg - Commission Nationale pour la Protection des Données (National Data Protection Commission). They have the capacity to impose fines. If you look at the regulation, fines can be up to €20 million or four percent of the global turnover. So if you think about Luxembourg that is the headquarter of Amazon Europe, think about four percent of the global turnover worldwide of Amazon, that's quite a number. Yet it doesn't mean that the grocery store at the corner of the street will be imposed a fine of four percent of the global turnover all €20 million. But there is a financial risk even for them. There is a financial risk. There’s been recently a case for example in Austria where a shop had been using a CCTV camera and the camera was not well oriented or positioned so that the camera was also recording the outside of the shop and people going on the pavement not entering into the shop. So the camera was registering other people than clients of the shop and the shop has been fined… a bit less than €5000 which you know for small shop a small boutique could be something quite important.
So there is financial sanctions that regulators and the CNPD in Luxembourg can impose. There is also in my view another risk which is the reputational risk. You simply don't want to be or your company… you simply don't want to be on the press saying that there's been an improper use of data. The data is leaked and so on so forth. We had many examples in the past. And even if there's no financial sanction I think that the reputational issue is something that is at least as important as the financial sanction. And to expand on data protection data privacy, that's the same. There is no regulation per say on data protection, data privacy besides GDPR but the risk for a company that is not able to properly protect data that they have is quite huge in terms of reputation. If you're a bank you just don't want to appear in the press, in an article that says that your client database can be accessed by somebody else other than an authorised person.
You had cases last year in France for example. It was Darty… so a network of shops selling electronics. They've been fined by the French authority because one of the service providers that was providing services for the after-sales did not have a secure website so that a consumer that wanted to claim something or had an interaction with the after-sales service was assigned a number to access his file online. And by just changing the number in the url, you could access another file… so the file of somebody else.
P: So it was actually a service provider of Darty, not Darty itself?
F: Not Darty itself. But it’s Darty that has been sanctioned because they are responsible for the service. So protection of data is quite important, is quite key. And again there is the matter of reputation there.
P: How can a company make sure… how can me being a company make sure that my service providers or my suppliers… they are being compliant with GDPR?
F: Well you have different ways to tackle that. My first advice would be to make sure that the contractual relationship that you have with your service provider foresees a certain number of clauses whereby you and your delegates and your service provider have to be compliant with GDPR just to protect you from a contractual standpoint. Yet it doesn't mean that your service provider will be compliant. So the next step is either to make a kind of due diligence on your service provider to understand how they operate, what are the systems, what have they done in the scope of their compliance exercise for GDPR. You might also request your service provider to provide a kind of attestation. So third party coming in at the service provider checking their capacity to comply with GDPR and providing an attestation or kind of certificate that your service provider will be able to use with you in order to make you comfortable with the fact that they are compliant. So contract, due diligence, on-site controls or third party review.
P: OK. Is there a difference between data privacy… GDPR is a regulation…
F: That's the point. GDPR is a regulation… data privacy is more global. It’s more the mind-set around protecting data. It's also about training people. It's about how do you on-board someone when entering into a company to make the person aware of the importance of data.
So data protection and data privacy is wider than GDPR which is just the regulation.
P: So it's more the mind-set actually, mind-set and the culture because I’ll tell you to launch this podcast we actually had to go through our legal team here and I am supposed to… I don't have it but I will do it… I'm supposed to make my guests sign this kind of GDPR authorisation form saying that you allow us to use your voice. So it's more about the mind-set and the culture…
F: Correct. It's about having the thinking that when you start a new product or service you go and consult with the ones who know what needs to be done in terms of complying with regulation but also protecting data. So it's really a question of mind-set, first of all. If you look at where the issues come from when it comes to GDPR compliance or data protection and data privacy the main source of issue, leak, problem, you name it, it’s the employees.
Us, employees of an organization… sending an email to the wrong person, keeping information for too long. I'm sure that if you if you open my drawers back in my office you'll find information that I'm not supposed to have or keep at least. So it's really matter of asking two questions which are key. The first one is do I need that information. Second question is do I still need that information. And you know embedding this kind of culture of being self-critical towards information that we have, that we collect that is key to me.
P: OK. You said that CNPD can impose fine on companies if they're not compliant. But how will they get to know if a company is compliant or not?
F: So CNPD has different ways to investigate companies. The first one and this started last year is that they run and they will continue running control campaigns. They picked up, last year, end of 2018, 25 companies in Luxembourg and did a check on their governance, on their DPO (Data Protection Officer) appointments etc. So they issued a questionnaire to these companies to respond to and provide documentation and to demonstrate their accountability with the regulation.
Second way is that they can decide to control, investigate a company if they have doubt or if they see something in the press for example or if they receive information from insiders or outsiders that the company might not be properly organised in order to manage personal data. They might decide and they have the power to knock at the door and say “hello, we are CNPD. Can you please demonstrate to us the way that you are compliant with the GDPR”. And so they have a kind of audit plan in place whereby they will be able to check a number of topics that we see in the regulation. And the third entry point I would say for the CNPD is simply a claim from someone. If you are not happy with the way a company in Luxembourg is treating your data, first of all you will request information from that company and complain to that company but if you at the end of the day if you're not happy with the response that you get from that company you have the right to lodge a complaint as an individual to the CNPD. And based on that the CNPD might be doing controls.
P: OK one last question. What does the future look like for GDPR, for data privacy? Is it gloom and doom?
F: I hope for one thing. I hope that companies will not forget that GDPR is a journey. We still have clients, companies coming to see us now because they have not done a lot with GDPR. But even for the companies who have done a lot, I think those ones and nobody should forget that it's, as I said before, it's not a one-shot project. It's an ongoing journey because there needs to be controls performed on an ongoing basis because it's a change of mind-set of employees, providers and so on so forth. My hope is that companies will not forget this.
P: Just before you came in we were having a conversation with one of our colleagues where he said that he's hopeful that even if the data is out there probably how that data is handled has, you know the technology that is used to handle the data, has not reached that height. So probably there is still hope for us?
F: I mean I tend to be positive and optimistic. I think there's hope for better commercial usage of data. We see for example more and more companies getting interested into data exchange platforms.
P: What is a data exchange platform?
F: That's… you have a couple of companies out there that do that. Basically they act as a broker between a company that can supply data and I give you example in one second... between companies that can provide data and company that needs to buy data. You might be aware in London the toll that exists for companies to access to city centre. Which means that each and every car plate is recorded, read and recorded which means that the company running that has a huge amount of data of how many cars are getting in the city and precisely what are the entry points, when you have more cars in the city in the morning or in the evening or whatsoever. And they are selling that data to companies selling advertisement spaces on billboards.
P: It's like Minority Report.
F: It's a bit like Minority Report. But because those advertisement companies can then update and vary the price of the billboard depending on the traffic. That's something that is of interest for both companies basically because the London traffic company can make money out of the data they have and the advertisement company can buy data that helps improving its business model. So I hope that in the future we’ll go more and more into that. Having those platforms which are a bit more regulated or organised at least and structured when it comes to transfer of personal data. It doesn't mean that we as individuals we will be more aware but I hope that such platforms will provide for more transparency.
If I go back to my example I'm not sure that if I'm driving a car around London I'm not sure that my car plate is read and transferred to whatever advertising company at the end of the day.
P: Okay great. Thank you so much Fred. I mean I have to say this because I have a… I know that data can be used for a positive end but you know once it's regulated once there's somebody watching over it can be a good thing.
F: It can definitely be a good thing.
P: Yeah. Because you know I spoke about rare diseases because the genetic data they're being taken and for research purposes from people and once there's consent and once there's regulation…
F: There's a very interesting point on DNA data. Especially if you're if you're on the social networks you'll see that there's a lot of advertisements for companies so that you buy from them to know if you’re more Nordic or more Arabic or whatsoever. But can you imagine the amount of information and data that those companies have on your DNA? It’s huge. So what do they do with that?
P: We need more CNPDs and more GDPR…
F: We need more awareness.
F: Yes, exactly.
P: OK, on that note Fred, I’m going to end our conversation. Hopefully, I’ll have you for more conversations like this. Thank you so much. It was a pleasure.
F: Thanks a lot. It was my pleasure.
P: So that was Fred Vonner talking about the angels and demons of data. Hope you enjoyed it. If you did, don’t forget to comment with the #PwCTechTalk. And I’ll catch you next time.
Commmunication, PwC Luxembourg
Tel: +352 49 48 48 5821