Want to hear about effective GDPR work from an expert herself? You’re in the right place, because we connected with Anna Eidvall and she gave us some advice on implementing successful GDPR and data protection initiatives and how any company – big or small – can overcome common GDPR challenges. Anna shared her insights on these topics, and much more:
-
Why you need to budget and plan for data protection to be an ongoing priority
-
How to avoid the false sense of compliance that documentation can bring
-
The shifting focus on small and medium sized organizations’ data protection responsibilities
So, let’s get into our interview with Anna!
About Anna Eidvall
Anna Eidvall is Partner, Board Member and Head of MAQS Advokatbyrå's Privacy and Data Protection practice in Stockholm. She has extensive experience in data privacy and advises on data protection policies, information notices, data protection impact assessments (DPIA), and third-country transfers. Basically, she’s your go-to expert if you want to stay up to speed on the latest privacy trends or need help understanding what the GDPR means for your company.
What drives Anna to work with the GDPR and data protection
How did you get started working in the field and how did your work change when the GDPR came into play?
“My first assignment, at my first job after university, was to advise a client on a data protection issue. A fluke. I have been hooked ever since.”
“Before the GDPR, my practice was somewhat more diverse and split between data protection and commercial law. However, as soon as the GDPR came into play, my practice was consumed by privacy and data protection matters.”
What makes you passionate about the GDPR?
“Privacy and data protection is a human right, and it is becoming increasingly important in light of digitalization, etc. Also, working with privacy and data protection, you get to start with yourself, asking – ‘How would I feel about this?’”
GDPR in your organization
What are 3 things we can do to make the GDPR a topic that more people care about and bother to learn?
“The main thing we need to do, on all levels, is to raise awareness – again, privacy and data protection is a human right people have a lot of control over their own data. Since it is such a fundamental part of digitalization, training and understanding of the basic principles should also be included in many more university degrees. Lastly, and what I believe is happening, is to include it on the political agenda.”
What is the biggest misunderstanding most people have about the GDPR?
“That it is unlawful to use someone else’s data without consent.”
And what is one thing that GDPR-Responsibles can do to correct this misunderstanding?
“Ensure that they are transparent with how they process individuals’ data and provide tools (e.g., information and privacy platforms) that make it easier to understand how personal data is used by the ‘GDPR-responsible’ (and on which basis).”
What are 2 examples of GDPR initiatives you have seen work in companies?
“Basic employee training and specific awareness programs.”
“It is fundamental to educate and involve all employees on data protection matters as well as to raise the level of awareness throughout the organization, including management. This allows data protection questions to be identified and managed in a correct way in the day-to-day business.”
“Organisations that live and breathe data protection/privacy from the top and use a ‘tone from the top’ approach are generally more successful in their implementation.”
Are there any examples from your own work that worked well? What are they and what change did they bring?
“For many companies it is hard to know where to start and the work might seem overwhelming at first. To get a better understanding of the level of compliance, both for our sake and the client, we combine a data protection gap analysis with basic training to get the client to start thinking about data protection matters in an easy, comprehensible way.”
“This gets the whole organization involved in an early stage, creating a sense of responsibility across the entire organization. With the analysis as a base, it is easier to plan and prioritize, as well as to get everyone ‘on board’.”
GDPR is not new anymore, but compliance can still be difficult. What do you see as some of the biggest pain points or challenges to working with the GDPR/staying compliant every year?
“To ensure that sufficient budget and time is reserved for compliance-related matters. Compliance is not a one-off project but something that you have to live with and practice every day.”
What are 3 concrete things that companies should do that can jump-start their GDPR work?
“Make sure there is budget and time to see the ‘project’ and the work through.”
“Appoint someone internally to be responsible for these questions (does not need to be a privacy professional). If the right expertise is not available internally, engage a consultant to help you understand the legal framework and what it means for the business.”
“Training and raising awareness to ensure that everyone in the organization thinks of privacy and data protection in their everyday tasks.”
Are there specific things you see a lot of companies neglect? And what should they do to make those compliance areas easier?
“It’s easy to focus on the documentation that the GDPR requires to be in place. However, many fail to implement the documentation. As a consequence, we see a lot of documentation from 2018 which has failed to be lived after (and/or updated) ever since.”
“Just having the documentation in place does not mean that you are complaint. Instead, it can create a false sense of compliance.”
For smaller companies specifically, what are 3 things IT managers, DPOs and GDPR employees can do to keep up with their GDPR work despite having smaller budgets or more limited resources?
“There are a lot of free online educations, webinars, etc. that will help raise the level of awareness and knowledge without straining a smaller budget. It might also be a good idea to sign up for free newsletters, for instance from the local supervisory authority, to keep track of what is happening within the field, new rulings, etc.”
“On a more general level, it will be crucial to prioritize and focus on the most important and high-risk data protection aspects of the organisation to make sure that these are taken care of.”
“In addition, it is often very lonely to work with GDPR in a smaller business. Hence, it is usually well spent money to set aside a smaller budget to have someone to discuss more difficult questions with.”
What Anna’s watching in the GDPR enforcement world
What are 2 or 3 GDPR cases/rulings that you think are telling about the future of GDPR interpretation or implementation for the next 5 years?
“The Schrems rulings (I and II, as well as others probably to come – e.g., the Meta fine). The rulings demonstrate how problematic it can be to not have a full picture of your data flows and that our high standards are difficult to adhere to in practice. It also challenges the boundaries of where the GDPR allows for a risk-based approach – something I think we will see more of in the years to come.”
“In general, many rulings/cases focus on data subject rights and the basic principles. This will likely continue, making it important to have data protection/privacy expertise easily at hand.”
“The focus on bigger and medium size companies will also likely continue, as will the focus on international social media platforms and other actors.”
International data transfers have become more complicated. What are 2 or 3 things companies can do to keep their data transfers compliant?
“It is important to review all international data transfers that take place from your organization to ensure lawful and compliant data transfers outside the EU/EEA. This includes, among other things, having a full and complete understanding of your data flows and the actors/countries involved.”
“Hence, companies should ensure that their records of processing activities (ROPAs) are up to date. Companies should also check the need for a data transfer impact assessment (DTIA) to be carried out - and make sure that they or the supplier have done so. If the standard contractual clauses (SCCs) are to be used, make sure you use the new version.”
The development of new AI tools has gotten a lot of attention in the last year. What obligations do companies have to ensure data protection with these new tools? What are 2 or 3 precautions companies should take?
“If the development or use of AI tools includes personal data, the rules of the GDPR have to be abided by.”
“This means that there must be a legal basis in place (both for training and use) and most often, it also requires a data protection impact assessment. Depending on the outcome of such assessment, other measures may need to be implemented – e.g., policies/instructions on how the tools may be used, retention schemes, etc. In addition, information on the processing must, of course, be included in the relevant privacy notice.”
Using cybersecurity frameworks in your data protection work
Many organizations use the GDPR and other cybersecurity laws or frameworks in their data protection work. Of course, laws have to be complied with, but what are the advantages of working with a security framework like CIS?
“Working with security frameworks like the Center for Internet Security (CIS) has several advantages, such as providing a comprehensive set of security controls and best practices that organizations can follow to enhance their cybersecurity. Additionally, CIS provides a structured and well-defined framework that covers various aspects of information security, including access control, incident response, vulnerability management, and system hardening. Implementing these controls helps organizations establish a strong security foundation and protect their systems and data from common threats.”
Last thoughts and advice from Anna
What is one piece of advice you would give to companies who are just getting started with their GDPR and data protection work? What about IT security managers?
“To understand how data protection regulations impact your business, you need to understand the GDPR and other regulations applicable to your business. There might be employees who already know a little bit about these things or who are interested in learning more, which is why it is a good idea to review what resources you already have within the organization to build your data protection organization.”
“It is also important that the resources collaborate with other important stakeholders within the business such as IT security managers, or others who work with legal matters, compliance, HR, etc. And – again – make sure that you have the budget and time to see the whole thing through!”
What resources do you use to stay up to date on all things GDPR?
“Newsletters - both from companies and authorities - are a good source of quick, compiled information. There are also a lot of interesting and knowledgeable people within data protection who share their thoughts and insights on LinkedIn, you just need to find them.”
Any recommendations for podcasts, newsletters, etc.?
“I usually listen to the podcasts Dataministeriet and Serious Privacy. In addition, MAQS law firm, where I work, regularly publishes a newsletter about data protection and privacy, which is free and easy to sign up for: Intresseanmälan: nyheter inom integritet och dataskydd (ungpd.com).”
“You are also more than welcome to follow me on LinkedIn, where I regularly publish content and news about the GDPR.”
Wrapping up
We are so grateful to Anna for sharing her time and insights with us! She left us with great tips on building a data protection team within your organization, fostering awareness among all employees, and keeping data transfers compliant.
We hope you found our interview with Anna helpful!