GDPR Register CEO Krete Paal: 'Data protection authorities in Europe are gaining confidence and capability'

As GDPR (General Data Protection Regulation), an EU regulation designed to protect individuals' personal data by giving them more control over how their data is collected, used, and stored, while requiring organizations to implement strict data protection measures and ensure transparency, is in force and still  can catch some off guard – non-compliance can result in severe penalties, including hefty fines, GDPR Register comes as an all in one platform to streamline data mapping, reducing long-term expenses and accelerating the creation of privacy documentation and reports. 

“Briefly speaking, it consolidates all privacy matters into one location, offering a comprehensive overview of your company's privacy health. In the long run, having the data mapping done directly in our platform will be cost efficient, user friendly, simple and more transparent,” Krete Paal, CEO at GDPR Register, told The Baltic Times Magazine.

Why is privacy compliance for companies so important today?

Privacy compliance is crucial for companies today because it helps protect sensitive personal data, build trust with customers, and avoid legal and financial penalties associated with data breaches and non-compliance with regulations like GDPR. Additionally, maintaining robust privacy practices enhances a company's reputation and competitiveness in an increasingly data-driven market.

What are your key recommendations for a company taking privacy compliance seriously?

Always start with your privacy foundation – determine what personal data you collect, where it is stored, how it is used, and who has access to it. Understand how data moves through your organization, including any third-party transfers. Identify legal basis and the purposes of why data is processed. This is also something that GDPR Register offers as our core service in our platform.

Educate employees and enhance cooperation – provide ongoing training for employees on data protection principles and privacy compliance. Implement programs to raise awareness about the importance of data protection.

Put security measures in place. To ensure comprehensive privacy compliance, it is crucial to establish strong security protocols that safeguard personal data against breaches and unauthorized access. With personal data always comes a great responsibility and duty to protect them. All safeguards should be appropriate to the risk and be adjusted in case the risks change from time to time.

Documentation also plays an important role in privacy compliance. Being able to demonstrate compliance aligns with the accountability requirement in the GDPR. Comprehensive documentation of data processing activities, consent records, and compliance measures are essential for audits and regulatory reviews, helping to prove that your organization adheres to privacy laws.

Does a company based outside the European Union but operating in it need to comply with the GDPR, too?

Yes, a company based outside the European Union but operating within it must comply with the GDPR if it processes the personal data of individuals located in the EU or offers goods and services to them. The GDPR has extraterritorial reach to ensure the protection of EU citizens' data regardless of where the company is based.

Does a non-EU based organization need to comply with GDPR?

Yes, a non-EU based organization must comply with the GDPR if it processes the personal data of individuals in the EU or offers goods and services to them, regardless of the organization's location. This extraterritorial scope ensures that EU citizens' data are protected globally.

What if a company does not charge for services, does it need to comply?

Yes, a company that does not charge for services still needs to comply with the GDPR if it processes the personal data of individuals in the EU. The regulation applies to any organization handling EU residents' data, regardless of whether the services are provided free or for a fee.

What are the penalties for those who fail to comply?

Organizations can be fined up to 4% of their annual global revenue or €20 million, whichever is higher, but the more severe consequences can also be reputational damage, court proceedings, or even temporary or permanent bans on data processing activities until compliance is achieved.

Is appointing a Data Protection Officer (DPO) in a company advisable?

Appointing a DPO is mandatory under the GDPR for certain types of organizations, such as public authorities, organizations that carry out large-scale, systematic monitoring of individuals or organizations that process large amounts of sensitive personal data or data relating to criminal convictions and offenses. Even if not mandatory, appointing a DPO is advisable as it brings expertise, enhances risk management, and helps build trust with customers and regulatory authorities.

Can you give some examples of when companies got in trouble over breaches of privacy compliance?

Data protection authorities in Europe are gaining confidence and capability, as reflected in the statistics for penalizing violators. Last year, Ireland imposed a record fine on Facebook, and businesses and government institutions have been fined a total of four billion euros for GDPR violations. The statistics of proceedings strongly indicate a shift in supervisory focus towards artificial intelligence and machine learning, and the use of personal data for their training. We must not forget that new privacy related regulations are also coming, for example the AI Act that partially bans facial recognition technologies in connection with the enforcement of new AI regulation.

Regarding Estonia, several health data related data breaches, both being the largest data breaches in Estonia considering the number of affected individuals, have been revealed recently and it opened a new discussion regarding a company's obligation to protect sensitive data, what are sufficient security measures and retention periods.  The criminal and supervisory proceedings are still ongoing and it is yet to be determined what the outcome will be. 

How can AI help GDPR and any company in the field?

Overall, AI can enhance a company's ability to comply with GDPR by providing efficient, accurate, and scalable solutions for data protection and privacy management, such as automating data management, monitoring and detecting data breaches, risk management, compliance checks, managing data subject requests, generating privacy documentation, which otherwise would be very time consuming and costly. 

GDPR Register is currently building into Tehnopol's AI accelerator how to use LLMs to automatically draft privacy documents easily, saving over 90 percent time usually spent drafting them manually. We are aiming to develop the feature even further expanding the range of documents that can be generated automatically. 

Data protection has become a very data- and time-intensive field that requires significant resources from companies. At the same time, mistakes made due to ignorance or lack of resources can be extremely costly.