We speak with GDPR expert Karen Lawrence and bring you her insights for staying on top of your data protection work. Our interview with Karen covers, among other things:
- The value of doing a GDPR Gap Analysis to figure out what exactly needs to be improved in your data protection work
- Three actionable things any company can do to jump-start their GDPR work
- Why you should use a Transfer Impact Assessment (TIA) to keep international data transfers GDPR compliant
Who is Karen Lawrence?
A self-described GDPR nerd, Karen Lawrence is a Stockholm-based information security and GDPR professional with over 30 years of relevant experience. Karen works as a Senior Privacy Consultant at Omegapoint and as a Data Protection Officer at Sparks Generation. Her day-to-day work involves helping them achieve GDPR compliance. She’s previously worked as a Data Protection Officer for several companies, a GDPR consultant, and has even served as an expert for the European Commission. On top of that, she is a certified Europrivacy Implementer. So, she knows what she’s talking about.
We were grateful for the opportunity to interview Karen on the pressing GDPR trends of today and actionable steps organizations can take in their data protection work. We hope you find the insights helpful!
Now, let’s get into our interview with Karen.
Introduction – Getting to know Karen and her work with data protection
How did you get started working in the field and how did your work change when the GDPR came into play?
"I wrote a book on privacy which was published by the British Computer Society in 2009. It was a bit before its time really.
Anyhow because I’d written a book suddenly, I was considered “the expert” and got assigned to the data protection projects when I was a consultant with Hewlett-Packard. My first major data protection project was in 2009 and in the telecommunications sector. "
What makes you passionate about the GDPR?
"A right to a private life is a human right and declared as such in the Human Rights Declaration (1948). The GDPR codifies this in legal text. What is unique about the GDPR compared to its predecessor (i.e., Data Protection Directive) is that it places control of personal data into the hands of the data subject making it the strongest privacy law globally. "
Working with the GDPR: Challenges and suggestions
What can we do to make the GDPR a topic that more people care about and bother to learn?
"Unfortunately, it is the fines handed out that will make people care, i.e., those sitting at board level in an organization who make the decisions on resources available to enforce GDPR compliance".
What is the biggest misunderstanding that most people have about the GDPR?
"That it is another law created to make our lives more complicated and that the DPO role must be filled by a legal guy. "
What is one thing GDPR-Reponsibles can do to correct this misunderstanding?
"A lot of what is required by GDPR should have been done anyhow, e.g., employee training, adequate security, documentation of business processes/dataflows, effective communications channels with customers, etc.
In fact, an organization does not need a GDPR expert (such as me) for a significant part of the work.
The best DPO I’ve worked with was a very experienced project manager, she knew her business (insurance) inside-out, because for over 30 years she had worked in every part of the business. "
What is an example of a GDPR initiative you have seen work in companies?
"A GDPR Gap analysis which surfaces what is missing along with a suggestion on what needs to be done in order to fix. "
What do you see as some of the biggest pain points or challenges to working with the GDPR/staying compliant every year?
"International transfers are a big pain, when they involve transfers to countries that do not have an ‘adequacy decision.’
The moving goalposts on transfers to the United States, invalidation of Safe Habor, then Privacy Shield, and now a new agreement is on the horizon… we just wonder how long this will last…
Shrems is already sharpening his sword for round 3. "
What are 3 concrete things companies should do that can jump-start their GDPR work?
"Well, it depends… but what is common for those who have nothing is:
- Privacy awareness training for all employees/contractor
- Create a register over data processing activities with legal basis of processing.
- Implement a privacy notice and assess the need for cookies (cookie consent banner) on website. "
Are there specific things you see a lot of companies neglecting? And what should they do to make those compliance areas easier?
"The role of the DPO is often merged into other functions, e.g., CISO, which creates a conflict of interest. (How this is a conflict can be read in this IAPP article). There have been quite a few legal cases whereby the combined DPO with other roles have resulted in fines. "
GDPR Implementation, Rulings, and Cases
What are some GDPR cases or rulings that you think are telling about the future of GDPR interpretation?
"There are quite a lot of cases. An interesting one which sparked my interest recently was a ruling on the interpretation of anonymized data.
Anonymised data is not considered personal data under the GDPR. Personal data was pseudonymized by the data controller, but ‘anonymised’ when sent to a sub-contractor, so they could do an analysis. The interpretation of anonymized data has been fuzzy, and will most probably continue to be so for a period of time.
But in this case, because the unique pseudonymized key was retained, it was decided that the data was pseudonymized not anonymized and the data subjects should have been informed of this data processing. "
You can read more about the case, SRV v EDPS here.
International data transfers have become more complicated with the GDPR. What can companies do to keep their data transfers compliant?
"Conduct a Transfer Impact Assessment (TIA) on all personal data that is transferred to assess the risks and remediate accordingly. "
The development of new AI tools has gotten a lot of attention in the last year. What obligations do companies have to ensure data protection with these new tools?
"Conduct a data protection impact assessment (DPIA) on all high-risk data processing, i.e., presents a risk to the rights and freedoms of the natural person. "
Many organizations use the GDPR and other cybersecurity laws or frameworks in their data protection work (e.g., CIS, ISO 27000, etc.). What are the advantages to working with a security framework like CIS?
"Article 40 of the GDPR recommends the use of Codes of Conduct, which are security and other standards which can be used as internationally approved compliance frameworks. "
Round-up: Karen’s advice and recommendations for staying up to date on all things GDPR
What is one piece of advice you would give to companies that are just getting started with their GDPR and data protection work?
"There is often a disconnect between the legal function, business, and IT. It can be useful to bring in a compliance guy who connects these functions. That is basically what I do most nowadays. "
What resources do you use to stay up to date on all things GDPR?
"IAPP.org, LinkedIn, Supervisory Authority for my country, etc. "
Any recommendations of podcasts, newsletters, etc.?
"The International Association of Privacy Professionals has a global view of the privacy landscape. The Daily Dashboard is a free newsletter. "
Conclusion
Huge thanks to Karen for sharing her time and insights with us! GDPR compliance can be tricky, with vague or changing requirements for international data transfers, data anonymization, and data processed by AI tools.
We hope Karen’s actionable recommendations are helpful in your GDPR and data protection work. For more information, we cover topics mentioned by Karen, such as security awareness training, GDPR fines, the role of the DPO, and more in our blog.
