Interview with Lionel Gendarme - Partner at Grant Thornton Luxembourg

In preperation of the GDPR+1 Data Privacy Conference which takes place on the 22nd May 2019 in Esch-sur-Alzette (Luxembourg) we had the opprotunity to interview Lionel Gendarme - Partner at Grant Thornton Luxembourg.

GDPR+1:

1) To what extent has data protection influenced the corporate culture of your company or of your clients?

The management of Grant Thornton Luxembourg was quick to acknowledge the importance of the GDPR. Being part of an international network of tax, audit and advisory professional service providers, an inter-firm agreement was set up between member firms. This allowed to share personal data across member firms within a robust legal and contractual framework. 

On a local level we see that colleagues, especially from HR and Marketing have become very cautious on how they handle personal data and privacy as a whole. Where there is any mass communication or publicity event where pictures will be taken, advice is regularly requested from the DPO. Moreover many employees now pay greater attention to data protection when fulfilling their professional duties, but also as data subjects. For instance, staff have questioned the utility of displaying the number of sick days on salary slips or within internal workflows for vacation requests.

GDPR+1:

2) What was the biggest challenge for your company or your clients when implementing the GDPR?

A number of companies started working on implementing GDPR fairly late. When the heat around GDPR soared in early 2018, many firms started to acknowledge the full extent of what needed to be implemented within their respective firms. Their biggest challenge was to identify the extent to which they were impacted, and which activities they needed to prioritise by the 25th of May 2018 in order to have peace of mind.

Once guidance on how to implement the regulation became more readily available, the challenge shifted. Obtaining continuous management commitment became the largest hurdle, given compliance is an ongoing activity that can require a significant amount of resources. At present, numerous firms can confidently demonstrate their organizational processes are well aligned with the regulation, however putting these commitments into action is what makes this regulation truly challenging. Colleagues and clients find themselves with vast amounts of personal data logged in numerous applications, and physical files that date back many years. Knowing how to accurately identify, filter and manage such personal data in line with the principles of data minimization in an efficient manner, is one of many practical challenges that the GDPR imposes.

GDPR+1:

3) What was the most important lesson you or your clients learned in the course of the practical application of the GDPR?

Complying with the GDPR is not a binary matter. Persons who tend to take an “all or nothing view” are quickly unsettled when confronted with questions on GPDR compliance. On the contrary many GDPR requirements entail multiple shades of grey. How it is interpreted and applied may considerably vary depending on the data processing environment. It is therefore instrumental to be and remain pragmatic and to keep the principle of proportionality in mind when ensuring or controlling compliance with the GDPR.

Reflecting the principles in actions is an activity that needs to be developed on a gradual scale. GDPR implementation is a marathon not a sprint, but it does have a finish line. On the other hand complying with the GDPR is an ongoing task that entails accountability. A continuous effort is needed to evidence compliance, picture Sisyphus pushing a boulder up a hill only to have to do it until infinity. Ultimately accountability means taking ownership of the task at hand and systematically proving it.

GDPR+1: We thank you for the interview and are looking forward to meeting you at GDPR+1.