Life after the GDPR: Good Data Protection Rules and Prospects for the Future

  • November 09, 2018
On October 18 the University of Szeged and the Ministry of Justice hosted an international conference, focusing on the challenges associated with the implementation of the General Data Protection Regulation and the future of data protection. At the event, a professional roundtable discussion was organized on the application of the GDPR at enterprises, moderated by AmCham Regulatory Committee Chair Dr. Gábor Orosz, and with the participation of the AmCham Regulatory Committee members.

The event opened with a welcome message by Giovanni Buttarelli, European Data Protection Supervisor, who highlighted that GDPR represents a significant milestone in protecting people’s fundamental rights, creating a uniform regulatory environment, directly applicable in the EU member states, extending the protection outside of the European Union.

Following the introductory remarks from Gizem Gültem-Várkonyi about data protection as a fundamental human right, the audience had the privilege of hearing Urszula Góral’s speech (Director of International Cooperation and Education Department, Personal Data Protection Office of Poland) in which she shared her experiences regarding challenges of the preparation for GDPR from the Office’s perspective.

The next speaker, dr. Endre Győző Szabó (Vice President of the National Authority of Data Protection and Freedom of Information), reflected on the Hungarian Authority’s achievements in the preparations for the application of the Regulation. He underlined the relevance of the new process for reporting incidents resulting in personal data breach.

The audience had a chance to hear about the challenges faced by the legislator’s side as well. Dr. László Péter Salgó (Deputy Secretary of State, Ministry of Justice) shared the Ministry’s results on creating consistency between the GDPR and the Hungarian sectorial laws, including an “omnibus” draft bill currently reviewed by Parliament’s responsible committee. He recognized that the responsible ministries still need to put in an enormous effort to address the inconsistencies in the national legislation.

Dr. László Trócsányi (Minister of Justice) recalled the legislative and political process of enacting the GDPR. He stressed that, without having trust in the protection of their personal data, consumers will not use the advantages of online cross-border and national transactions. The first data protection directive was not designed to accommodate the internet-based society’s needs. However, in the last two decades the technology took a quantum leap, increasing the value of personal data. The Regulation was created to address this giant leap, ensuring the adequate level of protection of personal data and giving back the control to the data subjects. The Minister highlighted that the harmonization of Hungarian legislation with the Regulation has already started but is not yet finished.

After a short networking break dr. András Tóth (Associate Professor, Károli Gáspár University of the Reformed Church) shared his thoughts about the challenges associated with the development of law and technology, emphasizing the importance of the “privacy by design” principle of the GDPR. He commented that the idea of built-in protection stems from the MiFID 2 directive and raised the question, how “fair trade” of personal data, including the provision of services in exchange for personal data could be better controlled by competition law agencies.

Dr. Gergely László Szőke (Assistant Professor, University of Pécs) presented a SWOT analysis of the GDPR, focusing on the potential opportunities to improve data protection awareness.

Professional roundtable – Application of the GDPR at enterprises

After a short brake, the event continued with a roundtable discussion with the participation of the AmCham Regulatory Committee members, moderated by dr. Gábor Orosz (EMEIA Legal Director, National Instruments Corporation). The participants of the roundtable represented a broad variety of industries – dr. Balázs Fazekas (Legal and Regulatory Director, Invitech Solutions) and dr. Dániel Szeszlér (Group Legal Director, Magyar Telekom) from the telecommunication sector, dr. Tünde Haskó (General Counsel, MOL) from the oil and gas industry, dr. Ádám Liber (Associate, Baker McKenzie) and dr. Ádám Farkas (Manager, EY – Forensic & Integrity Services) representing consulting firms. 

The panelists agreed that establishing GDPR-compliant practices required significant efforts from the companies, including the adoption of new processes, tools, adjusting IT-systems, training employees and raising awareness for customers – being large companies, they could tackle these challenges through allocating the necessary resources.

Members of the audience commented on the discussion, highlighting that compliance with the GPDR raised significant difficulties in small companies’ or self-employed entrepreneurs’ life, who are not able to employ legal or data protection professionals. The panelists agreed that a reasonable approach shall be followed in applying efforts proportionate with the size, nature and risk profile of the given data processing. Question was raised, whether the supervising authorities would accept and apply this “reasonable” approach. The participants also agreed that the Hungarian Authority could take on a greater involvement in providing individuals with more information to foster the effective exercise of their rights granted by the GDPR, and in providing more detailed guidance to the small and medium enterprises, in order to assist their compliance efforts.  

The participants had different opinions about the meaning of “compliance”. According to the majority opinion, compliance is not a state, but an ongoing effort to meet the requirements of the Regulation. A common mistake, the panelists emphasized, when companies execute their projects aiming compliance, then they do not pay attention to make sure their programs work.

Regarding the future of data protection, the members of the roundtable shared the opinion that the national legislation should speed up the process of adjusting sectorial laws with GDPR, overcoming the uncertainty and filling the obvious gaps in the network of laws.

As a closing thought, the panelists raised an interesting question: national data protection authorities are now ready to oversee commercial companies’ compliance with the legislation, however, will this supervision cover public institutions as well?