Greetings from Nicosia,

The occasion: I was speaking yesterday at a Data Management and Protection Forum to a cross-section of Cypriot business leaders on the role of the DPO as provisioned under the EU General Data Protection Regulation. A thoroughly well-run event, the morning session was devoted to road mapping GDPR compliance and expounding the business case for a pragmatic approach to implementation and demystifying the punch of regulatory adherence.

I was delighted to see Tim Clements, CIPP/E, CIPM, CIPT, FIP, make his way down from Denmark, and we shared the stage in this session along with other Cypriot thought leaders in the field of data protection. As you may know, Clements is a faculty trainer for the IAPP and delivers CIPM training across Europe on our behalf and also through our European network of OTPs. Clements gave some great insights from his consultancy work on how clients are mobilizing their data privacy programs to address the changes being brought about by the GDPR and other relevant data protection legislation.

The event itself was opened by Irene Loizidou Nikolaidou, the commissioner for the Office of the Commissioner for Personal Data Protection in Cyprus. Nikolaidou addressed the rigor of the new regulation and emphasized several areas of importance for Cypriot business to consider. Notably, she also sought to reinforce the message of risk-based assessments regarding the GDPR and the need for accountability culture, particularly for SMEs, which play an important part of Cypriot business activity. Her message was unequivocal: Do not see it as a threat. See the GDPR as more than a mere compliance exercise. Assess your needs and embrace the GDPR as an opportunity in an ever-changing competitive environment.

There were also interesting presentations made by local businesses on their organizational GDPR implementations. Multiple presentations discussed the need for wholesale data protection awareness and training for employees. Suggestions were made that training assessments should be directly tied to effective DPIAs as a potential outcome action. Moreover, where adopting top-down compliance (data protection) training, it was suggested that this was more than an HR task, but rather a requirement to be built into system controls, with appropriate KPIs. By extension, appropriate levels of training can serve as an integral factor in demonstrating accountability culture to necessary stakeholders.

By all accounts and from what I heard from folks here on the ground, the Cypriot commissioner is quite busy and actively engaged. Recently, in January, Nicolaidou issued an interim decision to the Cyprus Football Association to temporarily cease being the sole seller of (domestic) football away game tickets and to destroy any personal data it may have collected in doing so. The crux of the issue was that the CFA was violating the law by requiring too much personal data for the purpose of purchasing tickets. In their response, the CFA said their decision was taken in an attempt to curb violence in stadia.

More to follow, but it's clear that, in Cyprus, privacy rights are very much in the mainstream — and publicly so.