By Eliott MOURIER, Ph.D. Political Science and Data Governance Consultant at Micropole
The new European Data Protection Regulation, better known by its English acronym "GDPR", came into force on May 25, 2016 and has revolutionized the governance and practices of companies in terms of personal data management. In just 15 months, national supervisory authorities (the CNIL in the case of France) will be able to sanction companies and organizations that are not in compliance with the multiple requirements imposed or reinforced by the regulation, up to a maximum of 4% of their global turnover.
If the main mission of the text is to reinforce the rights and protection of European residents with regard to their personal data, it also aims at fostering the emergence of a climate of trust between individuals and companies in a field where caution and skepticism remain, today and rightly so, the rule. The postulate we defend, and which was developed in a previous post, is that the advent of the GDPR offers companies an opportunity to rethink in depth the management of their customers', partners' or employees' data, in order to play the transparency card, an essential prerequisite for the establishment of a relationship of trust. The problem is that many companies today only have a very vague idea of the requirements they will have to comply with. Among the extensive list of requirements contained in the 200 pages of the GDPR, here are five that will lead to major changes in terms of governance, process redesign or technical tools, and that it is in the best interest of companies to anticipate now:
1."Privacy by design" & "Privacy by default
This is one of the major leitmotifs of the text. Data protection must become a standard, an essential part of any project involving personal data. It must be addressed in the early stages of projects, be the subject of dedicated workshops, be a key point in the specifications and be included in the scoping notes and specifications. The requirements of this policy will have to be integrated natively into applications and solutions (CRM, ERP, MDM, DMP, etc.), and Cloud Service Providers or other data centers will have to comply with security standards throughout the data life cycle. With the emphasis on Privacy by Design and by Default, personal data protection can no longer be considered as a " nice to have ", but must be placed at the very heart of the design of projects and initiatives.
2.Consent management
The Regulation also establishes a fundamental principle: if a company or organization is not in a contractual relationship or under a legal obligation, is not acting in the public interest or vital interests of an individual, or does not have a legitimate reason to hold personal data about that individual, it is not entitled to process that data (including retention, use, resale, analysis, etc.) unless it has obtained the clear and explicit consent of the data subject to do so. No more "he who says nothing consents" or the common practice of drowning consent requests in a mountain of indigestible terms and conditions. From now on, the company will have to obtain - and above all be able to prove - that individuals have explicitly consented to their personal data being used for such and such a purpose (commercial canvassing, marketing, statistical analysis, resale to third parties, etc.). Moreover, a real centralized management of consents will have to be set up to give visibility to users and control authorities on the consents granted, but also to be able to take into account their possible withdrawal as soon as possible.
3.The right to be forgotten
This is perhaps the best known and most publicized of the GDPR's requirements, particularly because a number of national legislations (and notably France, for minors, in its Law for a Digital Republic of October 2016) did not wait for the GDPR to integrate it. The point here is for companies to be able to guarantee to people who ask them for it (as long as the request is legitimate) that their data will indeed be permanently deleted from all their systems, and this within 30 days. It is easy to see how the implementation of such a service could be complex in siloed information systems, where personal data - sometimes of poor quality and subject to multiple duplications - are often replicated in a multitude of consuming applications. The case Google Spain between 2010 and 2014, which led to several tens of thousands of requests for the right to be forgotten, suggests that this type of procedure will be used more and more frequently.
4.The right to data portability
In the same way that telephone operators are now obliged to allow a customer to keep his or her number if he or she cancels his or her contract and moves to a competitor, the GDPR now requires companies to make their personal data available to individuals who request it in a "structured, commonly used and machine-readable" format. The text goes even further by stating that the individual will be able to ask a company to directly transfer that personal data file to another company "where technically possible." Once again, we can see the difficulties that could arise from this type of transfer between completely heterogeneous information systems. If the terms of application of this right are still unclear, it is likely that its application will constitute a major technical challenge, forcing competitors in the same sector of activity to consult and work together.
5.The appointment of a Data Protection Officer (DPO)
The last major change that is worth highlighting is the appointment of a data privacy officer (DPO), which is mandatory for all public bodies and private companies that process personal data on a large scale. It will not be enough to change the job title of your Data Protection Officer (CIL) to comply with this new requirement, but rather to set up a real transverse governance around the protection of personal data within the company. This DPO will have as prerogatives in particular:
- Oversee the implementation and monitoring of GDPR compliance initiatives.
- Inform the organization and staff of their obligations with respect to personal data management.
- To be the point of contact and centralization for all requests for the application of people's rights (right to be forgotten, right of access, right to portability, request for modification, etc.).
- To cooperate with the supervisory authority.
- Participate in the development of impact analyses, which are mandatory for certain types of processing (profiling, sensitive data, etc.)
The list is clearly not exhaustive, but we can see from these 5 major changes how much the GDPR will disrupt the organization, processes and IS architecture of our companies. These evolutions are certainly complex, as they closely mix legal, business and IT aspects, but if correctly implemented, they will allow the company to demonstrate its concern for the respect of personal data and to be perceived as being "trustworthy". But as always when it comes to compliance, it will be the early adopters who will reap the most benefits.
Micropole offers a range of services dedicated to GDPR ComplianceCompliance, in order to help companies make an initial diagnosis of their state of compliance with regard to the upcoming requirements of the GDPR and assist them in defining an action plan. A discovery morning will be organized on March 16, 2017 in Paris to exchange on these topics.
