GDPR involves more than regulatory compliance
The deadlines are fast approaching!
The EU General Data Protection Regulation (GDPR) constitutes the European framework for protecting data privacy in EU member states, applicable from May 25, 2018. In France, it will gradually replace the Informatique & Liberté law currently in force, under the authority of CNIL, the national data protection authority.
Which data is concerned?
GDPR applies to different categories of personal data:
- Profiling data:
Racial or ethnic data
Data on political opinions, religious or philosophical beliefs and union membership
Genetic data and biometric data for identification
Health, sex life and sexual orientation
- Data on criminal convictions and offences
- Sensitive data (fiscal data, bank details, credit card number, etc.)
- Administrative data (address, telephone numbers, household members, etc.)
GDPR regulates the first three categories more strictly. However, it is up to individual states to define the sensitivity of personal data.
What are the new requirements of this regulation?
The list is long. We invite you to read our white paper on GDPR, produced in partnership with Cabinet Isabelle Renard and IBM. (http://www.ibm.com/analytics/fr/fr/technology/general-data-protection-regulation/). Here are the key points:
1 – The fines for non-compliance are significantly higher: up to €20 million, or 4% of an organization’s consolidated revenues.
2 – The scope of application is extended to partners and subcontractors dealing with personal data processing (document hosting, archiving, printing, emailing, etc.).
3 – The principle of accountability replaces declaration. In France, exchanges with CNIL have essentially been declarations made by the processing manager. In future, all demonstrations of compliance or progress achieved in this are must be available to the regulatory body upon request.
4 – Specific governance must be introduced to manage GDPR application and implementation. Companies with more than 250 employees must appoint a data protection officer to liaise with the regulatory body.
5 – IT applications must take into account GPR rules (“privacy by design”), starting from the design phase, in particular by assigning a shelf life to personal data, and encrypting and anonymizing sensitive personal data.
6 – People’s right to access their personal data must be easier and controlled. Anyone that provides personal data must be able to:
- Explicitly authorize the processing of this data and withdraw consent at any time
- Request an inventory and retrieve personal data
- Request the correction or deletion of personal data by the processing manager, who must pass on the request to partners and subcontractors as relevant.
7 – In the event of a security breach, the supervisory authority must be alerted. Any detected security breach that could lead to the loss or theft of personal data must be notified within 72 hours.
How to convince organizations to comply?
Quite simply, compliance is mandatory. The work organizations need to do to achieve it may be seen as costly and restrictive, but it can enable them to reach other, equally relevant, objectives:
- Data engineering. Efforts to clean up and organize personal data can provide an opportunity to undertake more widespread data engineering to reduce redundancy and clarify data management responsibilities (e.g. who is responsible for client data and who can correct it). This can also enable gray areas to be detected and reduced (i.e. obsolete data that is not being used and does not need to be stored). In this way, compliance meets an objective of optimized, better quality data.
- An image of integrity. GDPR gives people the means to monitor the personal data they provide within a secure framework. By extension, the message sent by a company can be: “Our company enables you to access your personal data at any time in a secure environment. We will also enable you to monitor all the transactions you entrust to us.” This image of integrity can be a competitive strength, in line with service excellence.
- Reinforcing the organization’s data security policy. Protecting personal data means making the data security policy tougher and more reliable, combining it with rules on confidentiality, which may require specific encryption and anonymization.
- Obtaining more transparency on the obligations of subcontractors and partners. With GDPR, organizations are better able to control transactions involving personal data.