This past Thursday, 15 November 2018, NautaDutilh Avocats Luxembourg held a breakfast seminar on the ten biggest mistakes in General Data Protection Regulation (GDPR) gap analysis and remediation projects, from a legal perspective. The seminar took place at NautaDutilh's offices and brought together professionals from key financial and tech and industrial firms as well as public institutions in Luxembourg.
Almost six months after the entry into force of the GDPR, Vincent Wellens (technology & data protection partner) and members of his team, Anne-Sophie Morvan (senior associate) and Faustine Cachera (associate), shared their experience with recurring errors in the context of GDPR compliance projects. Vincent opened the seminar by emphasising that GDPR compliance is an ongoing process and requires continuous efforts. In his words, "being compliant one day certainly does not mean that you are compliant every day".
The seminar covered issues such as choosing the wrong lawful basis for processing, the handling of data subject requests and data breaches, backed by concrete examples. One subject which generated substantial interest and questions from the audience was the identification and definition of "personal data", which is not always easy as the scope can be surprisingly broad. Another extensively discussed frequent issue was the sometimes complicated distinction between the key concepts of "(joint) data controller" and "data processor". To illustrate this difficulty, several examples were discussed such as the example of a recruitment agency which, depending on the circumstances, can be either a (joint) controller or a processor.
The seminar was a great opportunity for GDPR compliance professionals to share their experience and best practices and ask questions.