On May 25, 2018, the General Data Protection Regulation (GDPR) came into force and changed significantly the protection of personal data in our country. The GDPR establishes many rights for citizens. Among others, the Regulation provides for the creation of the position of the Data Protection Officer (known as DPO). We met with Emmanuel Tzivieris*, DPO at the Investment Bank of Greece, so that he could explain us more about this new position.
– Talk to us about the role of the DPO. Is it something new?
Many people are referring to the role of the DPO as a novelty of the GDPR, which is not entirely accurate. The term is not unknown. It also existed in the European Directive 95/46, it was also included in Greek law 3979/2011 on eGovernment, it also existed in Germany; but in practice it was not used, at least not to such an extent. This has changed with the implementation of the GDPR, which provides for the mandatory appointment of a DPO, starting on 25 May 2018, for three main categories of organizations and businesses:
(a) Public authorities and bodies other than the courts.
(b) Organizations whose core activities require regular and systematic monitoring of subjects on a large scale.
(c) Organizations processing personal data of specific categories, such as genetics, biometrics, health data e.t.c.
– You are giving me the opportunity to ask you about the level of business alertness on May 25th. Had the Greek companies and organizations already appointed DPOs?
I am not aware of the overall picture of Greek businesses and public organizations to answer your question, but there are indications that the “last minute” rule was not excluded even in the case of GDPR. At this point, I would like to emphasize that the GDPR was adopted in April 2016, which meant that all the persons in charge had more than two years to comply with its requirements, including the definition of DPO. Even the incorporation of the Regulation into the national legislation of the Member States has been delayed. Just a few days after its introduction, the European Commissioner responsible for justice has warned eight member-states (including Greece) and urged them to speed up their compliance procedures.
– How would you describe the role of DPO in an organization?
There are various interpretations of the role the DPO has to play in an organization. It has been suggested that the DPO will be the “long hand” of the Data Protection Authority, or its “eyes and ears” within the organization. It has also been heard that he will be an informal internal auditor who can carry out audits and communicate his findings to the Authority. However, we can’t confirm any of these theories when the legislative process is in progress in Greece. The only certainty is that the DPO will be a communication channel, or the link between the organization and the Supervisory Authority, and will be entrusted with the tasks assigned to it by the Regulation in Article 39, such as monitoring the organization’s compliance with the Regulation, advice to the company, staff briefing, opinion on impact assessment, etc.
– How important are the personal data of the subjects that are managed and processed by a business?
There are whole business models based almost exclusively on the processing of personal data. Meanwhile, the digital world is evolving rapidly and this has resulted in creating an intangible environment for individuals, consumer preferences and needs. See what happens with electronic communications today and compare it to previous decades. Look up on what is coming with artificial intelligence. Real cosmogony. So, you understand the importance of legislation such as the GDPR that tightens the framework for the processing of personal data at a time when personal data and control are becoming decisive for sustainability, competitiveness and further development of businesses.
– What do you think is the biggest challenge for a DPO?
The challenges mainly concern the innovations introduced by the Regulation on the general functioning of an entity. As you can see, it is a piece of legislation that changes the strategy and the way in which organizations and businesses have operated so far. The DPO, therefore, as the orchestration of the compliance process, is called upon to confront the habit, which is the greatest enemy of a healthy business. It is called upon to create within the company a new culture that treats personal data with respect and a sense of responsibility.
– Can the consumer contact the DPO directly?
The Regulation provides for the obligation to process personal data in a transparent manner. In this context, the organization is required to share the DPO contact information to all data subjects, facilitating communication with him/her.
Any interested person may contact the DPO to get informed about the categories of personal data being processed, the purposes of the processing, the potential recipients of the data and, in particular, his/her rights as derived from Regulation.
– What about the public’s awareness so far? Is there a response and interest of the public for the protection of their personal data?
Remember the first days of application of the Regulation and the dozens of identical messages we received from various businesses, e-shops, social media, etc. Anyone claiming that he was not bothered by this information storm and did not delete most of these messages would not be frank. This negative atmosphere gave the impression that sending the newsletters discouraged the public rather than sensitizing it.
This climate is slowly reversing. The messages we receive from daily communication with the public, as well as the results of a recent survey on the level of awareness and information of the Greeks on personal data protection issues, are encouraging. More than 80% said they were aware of the new regulation, while 77% of respondents claimed they had become more cautious about how they shared their personal data. If the numbers tell the truth, then we are on the right track. This progress is largely due to initiatives such as yours, Homo Digitalis, aimed at raising public awareness, but mainly ensuring that the public is properly and responsibly informed.
– How do you see the future of business in this digital world?
Although I’m not good at predictions, what I can say is compliance with the GDPR is the first major test that businesses are faced with in this field. There are plenty of other more demanding tests coming. The results of this first exercise will reveal the level of alertness of organizations to adapt to the new requirements and new business models of the digital world. Those who pass the test successfully have every reason to be optimistic that they will remain competitive, unlike the others, for which, unfortunately, the future does not look promising.
*Emmanuel Tzivieris holds a Bachelor from the Law School of Athens, a Master in Public Law form the National Kapodistrian University of Athens and a Master in Law and Economics from Utrecht University. He is the DPO of the Investment Bank of Greece.