EU General Data Protection Regulation — some of the problems
Let us take a quick look at some (of many) of EU General Data Protection Regulation implementation issues in Lithuania.
Article 37, paragraph 1 “The controller and the processor shall designate a data protection officer in any case where:” (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Article 37, paragraph 5 “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39”.
So, even taking into account paragraph 2 of same article, allowing for one data protection officer for a group of data processing or controlling entities, will those requirements be effective in public administration after 25 May 2018?
Taking for example Lithuania — 550 (give or take, sorry for lack of exact number) public institutions and companies under them. That’s not counting all 60 municipalities and municipal companies such as public transportation providers. Even if each ministry (of current 14) will appoint one data protection officer (DPO) to cover most of underlying institutions, there are still quite a few of them which work with huge amounts of personal data and will have to appoint dedicated human resources for the task.
By very “rounded” approximation, we are talking about couple of hundreds of highly skilled data protection specialists for public sector alone. Which, on top of private companies needing them too, are not available in Lithuanian human resources pool!
So, if no competent staff willing to work on government level of salaries is available, we will have either not competent DPO’s in public sector, or some dedicated and competent, but stretched over 20–50 institutions, overworked and unappreciated. Probably — a mix of both.
On top of that, a quick look at Lithuanian legislation supporting GDPR, currently in process of passing through parliament. In it, based on GDPR article 83 paragraph 7, it is proposed to set fines for government institutions to 0.5 percent of annual budget of offending institution, but no more than 30.000 euros. For serious infringements on GDPR — 1 percent, but no more than 60.000 euros. That is considered as “..sufficient, proportional and effective measures..”.
How does that sound compared to 2 percent (4 percent) or 10.000.000 euros (20.000.000), whichever is bigger for private sector?
Summing things up, at least in Lithuania we have high risk of under staffing crucial data protection functions in public sector. Couple that up with drastically lowered fines for non compliance and once more poor implementation of mainly good legislation is underway. While public sector institutions are very active in gathering and storing private data, only formal implementation of GDPR will not be sufficient for securing this information.
What to do?
1. Strict compliance control of government institutions, not only businesses;
2. Accordingly — sufficient resources, both funding and people, for supervising authority;
3. Direct government instruction for public institutions to prepare high level GDPR requirements implementation plans, which should be evaluated and commented on by supervising authority;
4. Immediate assignment and training / education of internal personel for DPO role at least on ministry level and in institutions directly working with personal data.
5. Most important, as with private sector, action should be taken right now, as less than a year is very short time.