[EXPERT OPINION] At the beginning of 2019, Eliott Mourier, GDPR & Data Privacy Manager at Micropole, gives us an assessment of the implementation of the General Data Protection Regulation (GDPR) by French companies.
The beginning of a new year is always a good time to take stock. The one on the implementation of the RGPD by French companies, nearly 8 months after its entry into force, is instructive in more ways than one and sets the tone for a year 2019 that will also be under the sign of data protection and personal communications.
First of all, it is worth highlighting, over this year 2018, the unprecedented awareness - both of the population and of companies - of the challenges of personal data protection and this, not only in France but more widely throughout the world. This wave is obviously linked to the significant media coverage of the RGPD, but also to the series of scandals that have peppered 2018 and in which Facebook has undoubtedly been the main protagonist (Cambridge Analytica in the spring, a bug in June that made public 14 million private publications, a security flaw in September on 30 million user accounts and, most recently, the mistaken release of millions of photos in "draft" mode to thousands of partners). A recent CNIL/IFOP barometer indicates that 66% of the French population is now more sensitive to the subject than before the RGPD.
RGPD PRIORITIES FOR BUSINESSES IN 2018
As far as companies are concerned, the RGPD will clearly have been one of the topics of the year. And this, as well for the CAC 40 behemoths as for SMEs, as they all had to review their data processing of customers, prospects, suppliers or, of course, employees. On the whole, we have noticed that most companies have initiated their compliance with the RGPD through the following 5 projects:
1 - Updating documents and contracts: Many companies have revised their privacy policies, legal notices and information notices, particularly on corporate websites. But also to update supplier, subcontractor or partnership contracts, by inserting new "personal data" clauses, RGPD annexes, Non-disclosure Agreements (NDA) or other Data Protection Agreements (DPA). The flooding of our mailboxes with notifications of updates around May 25 was a clear indication of this widespread effort. However, if the "big" contracts have often been updated as a priority, it is important to go all the way and tackle the "small" contracts which in reality sometimes present more risks, as they are signed with partners who are less structured and less equipped to deal with certain security issues in particular.
2 - The implementation of a governance on the subject: Before the RGPD, let's be frank, very few companies had set up a real governance around personal data protection. This was often entrusted to the legal department or to the IT security department and the IT and freedoms correspondent (CIL), when appointed, generally combined this function with many others. It is clear that things are changing significantly in this area. According to the latest IAPP-EY annual report, about 50% of companies have now set up a dedicated organization and the number of staff in charge of the subject has doubled. The CNIL now counts 15,000 data protection officers (DPOs) compared to 5,000 CILs before the RGPD.
3 - Initialization of the register of processing activities: If few companies used to reference their data processing, most of them are now well on their way to elaborating the famous "register of processing activities", imposed by article 30 of the RGPD. The resulting inventory work has often been an opportunity, especially for smaller organizations, to formalize some of their processes and sometimes even to make some welcome changes. However, be careful not to be satisfied with an initial supply of data, since this register must be updated on an ongoing basis.
4 - Drafting a data breach notification procedure: The new obligation to declare to the CNIL, within 72 hours of its detection, any personal data breach likely to generate a risk for individuals, has forced companies that did not have one to draft a procedure or build a dedicated crisis plan. But if the CNIL has already received more than 1,000 notifications since May 25, there is still a lack of clarity about the thresholds, particularly in terms of quantity, at which a company should notify the CNIL, but also directly to the individuals concerned, when the resulting risk to their privacy appears high. The question of the means to be implemented, in particular for VSEs/SMEs, to be able to detect these violations also remains.
5 - Training and awareness-raising of employees: You have certainly witnessed this within your structure, training actions, or at least awareness-raising actions, on the protection of personal data, whether through face-to-face training, e-learning modules or various internal communication campaigns have been legion in our companies. These "one-two punch" actions have undoubtedly been beneficial, but here again, it will be necessary to ensure that they are sustained over time in order to instill a true "privacy culture" within our organizations and, more broadly, within our companies, as the RGPD aims to do.
AN OFTEN MINIMALIST AND SHORT-TERMIST APPROACH TO RGPD COMPLIANCE
While most companies have taken a number of significant steps to initiate compliance with the RGPD, it is clear that in many cases, organizations have been content with what could be described as "façade compliance". Many organizations have limited themselves to updating their privacy policy and creating a generic DPO e-mail address, thinking that they will only invest once the first significant fines have been levied. Others, a little more conscientious, have launched most of the expected projects, but have opted for short-term or purely cosmetic measures, without thoroughly reviewing their organization, their processes, their methods, and therefore without questioning their overall approach to personal data protection. The significant decrease in the budget forecasts for 2019 RGPD programs (estimated on average by IAPP/EY at 1.8 million dollars, whereas triple or quadruple that figure had been mentioned previously) is a strong indicator of the fact that, for many, most of the work has already been done.
WHAT RGPD ROADMAP FOR 2019?
However, other less "visible" but particularly complex to implement and ultimately essential projects, not only to aim for long-term compliance but also to hope to obtain further returns on investment, remain to be worked on and should appear on all RGPD roadmaps in 2019. Let's mention three in particular that we feel are essential:
1 - Consent management: or how to ensure that all your systems take into account the consent or opposition of customers to certain data processing? How can you also present the customer's consents so that they can easily manage them and therefore feel more confident when granting them? Finally, the issue of traceability and historization of consents over time must also be considered. These are all issues that the future E-privacy regulation may make even more urgent by 2020.
2 - The compliance of application assets: If RGPD programs have often focused on current or future projects, sooner or later it will be necessary to tackle the existing ones, especially in terms of deleting personal data collected over the years, which, especially in large and complex structures, can represent a colossal and long-term task.
3 - The definition of a true "Privacy by Design and by Default" methodology : A true leitmotiv of the regulation, "Privacy by Design", or the taking into account of RGPD requirements right from the design of projects and products, requires the adaptation of work methodologies and the establishment of expertise and control centers. This work is essential to guarantee compliance and risk minimization over time.
CONCLUSION
As is often the case when it comes to regulatory compliance, organizations have been striving to achieve a "minimum acceptable level" of compliance at the lowest possible cost. How can you blame them when the regulatory thicket keeps getting thicker year after year? But with the RGPD, the approach must be different. This text and the new paradigm it establishes must lead companies to rethink their strategy, their services and their personal data processing culture in a broader way. On closer inspection, the regulation even opens up new opportunities for value creation around personal data that companies would be wrong to downplay. But this will only be possible for those organizations that go beyond a "compliance façade" and fully commit to a positive and proactive strategy of good data governance, which will increase the trust of their customers and, in turn, the value of their personal data.
