Protecting The Public – What GDPR Means For Business

Marie-Claire Grima - 19th May 2018

The introduction of the General Data Protection Regulation (GDPR) has wide-ranging consequences for businesses operating in the EU as well as outside the bloc – but what does it mean for Malta?

The General Data Protection Regulation (GDPR) will take the European Union’s commitment to privacy and data protection further than any other piece of legislation before it. Through the GDPR, from 25th May onwards, the existing privacy rights of EU residents will be expanded, and consequently, a wide range of compliance obligations will be placed upon businesses operating both in and outside the EU.

 Kevin J. Borg, Director General of the Malta Chamber of Commerce, Enterprise and Industry.

Kevin J. Borg, Director General, Malta Chamber of Commerce

“As is normal practice for all responsible businesses in Malta, preparations for compliance with GDPR were taken very seriously and many businesses have taken the necessary steps to get in line with the new legislation,” says Kevin J. Borg, Director General of the Malta Chamber of Commerce, Enterprise and Industry. “This does not mean, however that everyone is ready for 25th May. I view the situation as a mixed bag: some businesses are prepared, but others are struggling to meet the deadline.”

Mr Borg says that the introduction of GDPR is expected to bring about an increased level of credibility and accountability for businesses. “This is expected to reflect in a greater sense of trust and enhancement in the business-customer relationship. The new legislation is also needed as new technologies enabling on-line communication and transactions are posing greater risks to businesses and consumers alike. This demands a concerted response to ensure that we are well prepared to prevent any undesirable eventualities. However, every change, no matter the size, will always have an effect on businesses, especially SMEs as these will be geared on the running of their businesses and seeing to the needs of their clients. Businesses will typically have to momentarily divert their attention from their day-to-day operation to address such changes, hence affecting their productivity.”

Mr Borg says that in the past few years, the Malta Chamber organised a number of information sessions as well as informative seminars on the subject, which were open to the public and members to update themselves about the upcoming Regulation. “During each event, members were exposed to information given by experts both from the public sector, which is expected to regulate GDPR, as well as the private sector, which offers services to companies on the subject. As always, the Malta Chamber remains available to help businesses that may experience difficulty in this area, within the context of its mission to enhance the business environment of the country.”

Antoine Aquilina

Antoine Aquilina, Information Security Officer, BOV

The comprehensive nature of GDPR meant that even companies that were already up to speed with data protection principles had to up the ante in order to be compliant with the new legislation. “Bank of Valletta’s initial reaction was that while the core data protection principles were not significantly altered, the enforcement and reporting framework of the Regulation was significantly more onerous,” says Antoine Aquilina, Information Security Officer at BOV. “Today we can say that our assessment was correct. Following the publication of the GDPR, the bank conducted an impact analysis in order to identify those areas which required changes in order for the bank to fully comply with GDPR.”

Mr Aquilina says that the Payment Services Directive 2 (PSD2) – which came into force on 13th January this year, and aims to make payments safer, increase consumer protection and foster innovation and competition – and the GDPR are two major new pieces of legislation, which, although unconnected, share common objectives with regards to personal data. “However, when implementing these high-level principles, challenges and conflicts quickly became apparent, particularly in the area of consent. This matter, amongst others, needs to be tackled well, as this may risk the successful implementation of either legislation.” The biggest takeaway from the process, Mr Aquilina states, is that GDPR cannot be considered in isolation but must be implemented taking into account other current regulations such as the 4th Anti-Money Laundering Directive (4th AMLD) and PSD2.

“The bank was already subject to the Data Protection Act, however GDPR has strengthened the focus on data-centric approach, quality and control. I think that when it comes to Maltese businesses overall, GDPR will reshape the way they approach data protection measures, due to the new rights of data subjects and the penalties that can be imposed for breaches.”

Gordon Micallef

Gordon Micallef, Business and Technology Advisory Partner, RSM

Gordon Micallef, RSM’s Business and Technology Advisory Partner, states that as the understanding of GDPR grew, the company was able to absorb the fact that many principles reflected good data governance, and that while many activities had not yet been formalised, they were already practised. “The largest implementation efforts revolve around the retention policies and effective disposal of data that is no longer required for the processing objective,” he says. “We carried out an impact assessment plan to understand where the gaps are, and to have visibility of the overall plan, in order to align ourselves to the new Regulation. Based on the overall plan, we were able to prioritise our actions and monitor the compliance programme. Clear data owners were assigned to have good governance maintained beyond the preparation.”

“As a company, we collect a lot of data, some we may not have necessarily needed. GDPR has shown that many organisations were not aware of the existing regulations, and have only become conscious of some serious obligations through the overall market awareness of GDPR in the events attended and articles read by controllers. GDPR implies better governance of data and improved cybersecurity practices. The most important lesson we’ve learnt from preparing for GDPR is the need to be more transparent in the processing of personal data to data subjects.”

Josef Busuttil

Josef Busuttil, Director General, Malta Association for Credit Management (MACM)

Josef Busuttil, Director General of the Malta Association for Credit Management (MACM), says the organisation has been lobbying for increased data protection for several years. “I think that companies that were already compliant with data protection will see little difference in their operations – but those that had a lot of catching up to do to begin with should have started working on this at least a year ago,” he cautions. “There’s a lot of work to be done – carrying out data protection audits, figuring out what information is being kept, how long it is being kept for, and why it is being kept. Maltese companies have a major issue when it comes to holding on to data that they don’t need, especially when it comes to employee data. Plenty of major companies hang on to old employee data, even when those people don’t work there anymore; or CVs of prospective candidates, even after a recruitment drive is over. Would they have informed the prospective candidates that they will be holding on to their information for a period of six months, or a year, or more? Not necessarily.”

Mr Busuttil states that as Director General of the MACM, he believes the business community should be aware of the GDPR, how to comply with it, and the consequences if they don’t do so. “The penalties for non-compliance are hefty, and I believe the business community needs to be well-prepared to comply with GDPR. As the MACM, we’ve carried out all the audits, and are very close to being fully GDPR-compliant – by 25th May, I can guarantee that we will be so. Naturally, we’ve been pushing our members to follow suit; we’ve carried out information sessions for our members about preparing for this legislation, and how GDPR will affect their relationships with their own clients as well as our own organisation.”

David Grech

David Grech, CEO, Medicare Malta

“GDPR highlights the fact that we live in a potentially scary world where personal data needs to be protected from misuse and fraudulent use, and where privacy needs to be safeguarded,” states David Grech, CEO of Medicare Malta. “Our initial reaction to the introduction of GDPR was somewhat apprehensive, given that as occupational healthcare providers we are responsible for the data of thousands of employees of our corporate clients. Naturally we had prior documentation in place already, which nonetheless required revision and redrafting. We have engaged the assistance of a data protection consultant and formalised our procedures and data archiving and consent processes further to make them compliant.”

Dr Grech believes that the company’s data collecting, archiving and usage consent processes are more streamlined and efficient as a result of these changes. “There is of course a compliance cost, and one needs to be wary of defensive practices in response to frivolous complaints of data misuse. The long-term benefits in terms of corporate governance and business-to-client relationship management can only be positive ones.”

This article originally appeared in The Commercial Courier

Jo Caruana - 20th May 2018

“[Compliance] is a bit like security at an airport – you have to go through the inconvenience of it,...

17th May 2018

Corporate video celebrates Chamber's 170th anniversary as it sheds light on the organisation'...

18th May 2018

Malta's transport minister, Ian Borg, said that work is underway to look at EU directives that c...

18th May 2018

“At a time when countries around the world are expressing ambivalence about сгурtоcurrencies, if not...

Protecting The Public – What GDPR Means For Business