New PwC Luxembourg survey shows how the Grand Duchy is coping six months into the application of the EU regulation
• Around 50% of respondents consider that they have implemented the majority of the requirements and changes.
• The mapping of all personal data processed is the key challenge for an important part of respondents.
• Almost ⅔ of respondents are confident they have not faced a personal data breach.
• 30% will see how to deal with a breach when it occurs.
• Among respondents, financial services companies are ahead of others in terms of maturity.
Six months after EU’s General Data Protection Regulation (GDPR) came into force, PwC Luxembourg carried out a survey in October 2018 to gauge the local market’s reaction to the new regulation. The survey consisted of 15 questions that mainly addressed various GDPR requirements and the corresponding readiness of companies and was sent to organisations from different industries within the country.
Frédéric Vonner, GDPR and Privacy Leader at PwC Luxembourg said, « With this survey, we aimed at understanding the level of post-GDPR compliance of the Luxembourg market. We’re grateful to all the respondents for taking the time to share their thoughts with us. It has helped us shed light on the current data protection practices in Luxembourg and to understand how organisations in the country are coping with key GDPR principles.”
Luxembourg market status: Smooth Sailing or Hot Water?
The results, revealed last night during a dedicated event, show that while around 50% of respondents consider that they have implemented the majority of the requirements and changes, an additional 40% consider that they will fulfil these requirements in the near future and they expressed compliance with certain specific requirements, such as the performance of risk assessments.
40% of the respondents state that they have identified the risks for data subjects, without having mitigated them. An important part of the respondents, 34% of them, stated that they have not conducted all the Data Protection Impact Assessments (DPIA) they should have done, while 10% of them responded that they have not put this action on their agenda.
A surprising fact that the survey reveals, and perhaps an indicator of overconfidence according to a few of the speakers at the GDPR event of this Wednesday 12 December, is that two thirds of the respondents are confident that they have not faced a personal data breach, irrespective of whether such a breach needed to be reported to the local supervisory body, the Commission Nationale pour la Protection des Données (CNPD), or not. The true question though is to know whether such companies are properly equipped to identify such data breaches.
Christophe Buschmann, Commissioner at the Luxembourg DPA (Data Protection Authority) – the CNPD who was present during the GDPR event, said, “Luxembourg is a small country that wants to be a major digital player; compliance is key to maintaining a good reputation that supports that ultimate goal. What this GDPR survey demonstrates is a general optimism and the level of confidence Luxembourg businesses are showing regarding compliance. Professionals are becoming more knowledgeable and working hard to comply. However, it is unacceptable to have no compliance strategy at all.”
Overall, the survey results suggest that respondents seem to be relatively confident regarding their compliance with the GDPR. “Only time will tell whether the GDPR-compliance journey has truly been smooth sailing, or more efforts needed to be put into the assessment of risks related to personal data and the review of IT systems,” Frédéric Vonner added.