‘In the digital age, trust is very important’: Data Protection Commissioner makes rare public appearance

Speaking during an event organised by The Malta Chamber of Commerce and Enterprise: Data Protection and Cyber Resilience: A Powerful Combination, Malta’s Data Protection Commissioner Ian Deguara stressed the importance of firms actually understanding the importance of protecting data.

In a rare public appearance, Mr Deguara was one of the panellists in a discussion held with The Malta Chamber CEO Marthese Portelli, BMIT chief customer success officer Nick Tonna, MPS director Chris Mifsud and APCOPAY CTO, Gabriel Sultana.

When asked what businesses of any size should prioritise to enhance data protection and cyber-resilience he was quick to point out that one-size-fits-all solutions aren’t the way forward:

“We could have a small enterprise which processes huge amounts of personal data, maybe special categories of data, health data in particular,” he said, making the point that “we should not look at the size of the organisation.”

“It should be an overall strategy to understand the importance of actually protecting data. We speak about reputational damage, but it’s also about trust. In the digital age, trust is very important.”

He also stressed the importance of having the necessary policies and procedures in place, and warned against the idea that data security could viewed as a one-time exercise.

Recalling the introduction of the General Data Protection Regulation (GDPR), he said, “I hate to say this but in the run-up to GDPR everyone was freaking out trying to become compliant. I still remember that in those months before [it came into force] we were inundated with requests. But I was thinking to myself, why, when we’d had data protection law since 2003?”

He described GDPR as an evolution, and not a revolution of the legal framework at that time.

Before responding to another question, he remarked, “I think that controllers and processors should be more proactive.”

“We go to conferences, we go to events, we hear a lot of buzzwords, ‘digital transformation’, ‘ISO standards’. Then we go back to the office trying to do something and all that energy and excitement fades away because it is not taken up by top management, perhaps because of profit-maximisation.”

While many see data-protection as something that hinders progress and profits, Mr Deguara said it’s actually the other way round.

“Having a clean sheet, having never been subject to a data breach because you have a proper security posture, should be considered a major selling point.”

He reiterated a comment made by another panellist, who said that 60 per cent of companies which suffer a data breach fail within a year.

Harking back to the importance of trust, he said he wouldn’t trust a company that doesn’t have proper security measures in place with his data.

“I am giving it to you as a company to render me a service, so I expect you to treat that data with the proper and necessary safeguards. Not to give it to other third parties without letting me know and obtaining my consent, using it only for the purpose I have given it to you for.”

He stressed the importance of not lowering the regulatory bar. “We have as the EU a solid piece of legislation., we have the principles there, we do not lower the bar in order to appease other countries or stimulate economic growth at the expense of fundamental rights.”

When GDPR was rolled out, certain US-based newspapers stopped providing their service to EU citizens.

To this the Data Protection Commissioner said, “Yes so be it. If they are not able to meet that bar, yes, close shop, I’m sorry.”

“Even when it comes to AI, I know it is important, We have the AI ACT on the doorstep. It is going to, hopefully, this year, be adopted by the co-legislators.”

“They have to meet that bar. That is what are our standards as EU citizens because we have fundamental rights. They are enshrined, entrenched in the Charter. We do not lower those rights.”

UK GDPR and Implications of the data privacy bill

During the Q&A segment of the panel, one of the attendants said that many Maltese companies have longstanding partnerships with UK companies, and the EU an adequacy decision on the UK which is set to expire in 2025.

UK companies which are in agreements with Maltese and other EU companies say they are conforming with UK GDPR. On this, the attendant asked whether companies should object or reject UK GDPR as being legitimate.

Mr Deguara said that until now, UK GDPR is effectively the same as EU GDPR. However the country is currently debating a new law called the Data Privacy bill.

He explained that an adequacy decision means that data can flow between the EU and a third country without having the need to implement appropriate safeguards such as contractual clauses, binding corporate rules and certification.

However, he added that the new UK data protection law is the subject of a lot of discussions among European stakeholders, as they do not want it to diverge from the EU GDPR.

If it did, Mr Deguara said the EU Commission may consider withdrawing the adequacy decision

“That would impact controllers and processors in Malta as well as in the whole EU, because they would then have to rely on different rules, on chapter five of GDPR to be able to transfer data.”

“I am aware that the UK were very cautious in their approach, even though there were some changes in order to reduce bureaucracy.”

“But the EU Commission is all eyes on the UK.”

In the EU’s adequacy decision on the UK, there are also provisions for an ‘emergency break’ allowing it to suspend the adequacy decision before it expires.

He also said that the adequacy decision on the UK is the first one of its kind to include a sunset clause, meaning it’ll be subject to a review.

“Currently there are a number of adequacy decisions, and in my personal view the EU Commission should start reviewing all those decisions.”

Compliance challenges for SMEs

An attendant expressed concern of the challenge small and medium businesses have in meeting compliance mechanisms, and that they have fewer resources at their disposal to meet the same requirements as large businesses. As a result, they have to rely on service providers.

On this note, the Data Protection Commissioner brought up the fact that, when he met with the Malta Digital Innovation Authority (MDIA) it informed him that it has a scheme which would cover up-to €10,000 of the cost of improving a businesses’ cybersecurity, and yet the uptake was zero.

“The information is there; the schemes are there. Even when it comes to data protection, the information, the guidelines, the self-assessment methodology, the risk assessment, they are all there, you have a lot of information out there, just use the search engine and look them up,” said Mr Deguara.

“You can engage professional people but if you want to do the job yourself, you are able to do it, you have materials out there. We as the IDPC issue loads of guidelines on many areas.”

“The information is there, look it up. If you are not able to look it up then awareness-raising campaigns are important, education is important all that. From a data protection point of view, you have all that out there, at your hands with a few clicks of your keyboard.”

Featured Image: Data Protection Commissioner Ian Deguara via The Malta Chamber