- Written by Jason Bramsden
The General Data Protection Regulation (GDPR), definitively adopted in 2016 by the European Parliament is a Big Bang in terms of personal data protection in Europe. By Olivier Chotin, SQLI Consultant Manager.
GDPR - What are Citizens' rights?
Applicable as of 25 May 2018, i.e. within the next year, the GDPR, General Data Protection Regulation is an extension of the French "Loi Informatique et Liberté" Act. It broadens Citizens' Rights on the management of their personal data:
- Consent: no data can be collected without explicit and positive approval (article 7)
- Transparency: right to know what the data will be used for (article 13 and 14)
- Right of access and rectification: right to consult and modify (article 15 and 16)
- Right to forget: deletion and limitation of data storage in time (article 17)
- Portability: right to retrieve personal data to transfer it elsewhere (article 20)
- Right to object: the data subject is entitled to object to the processing of their data at any moment (article 21)
- Profiling: right not to be the subject of a decision exclusively based on automatic processing (article 22).
- Minimisation: management of data only necessary for the actual purpose (article 5)
- Security: right to have one's personal data systematically protected (article 32)
- Notification: right to information in the event of leaks (article 33)
GDPR - What are the Company's rights?
GDPR forces the Company to satisfy new citizens' rights described above but also implement actions that guarantee the correct application of efficient management principles relating to personal data, including control and monitoring resources:
Organisation actions, in particular the appointment of a Data Protection Officer (article 37) in charge of implementing compliance with the GDPR.
A principle to empower the processing officer and their subcontractors (article 24) and actions to demonstrate that processing respects the GDPR, and ensure application of directives and verifications, in particular Records of Processing
Activity (article 30) which precisely identify the activities and actions or events regarding personal data.
A methodological approach set up immediately from the conception stage to ensure compliance of the GDPR (Privacy by Design, article 25) and implementation of the only processing required (Privacy by default).
The implementation of risk analysis namely through the impact analysis (DPIA - Data Protection Impact Analysis, article 34) to assess the risks of all activity with a potential high impact on personal data protection.
The implementation of security measures (article 32) in order to guarantee the safety of the processing (encoding, pseudonymisation, confidentiality, integrity, restriction on the sharing and use of data) as well as testing, analysis and regular evaluation of the efficiency of security measures.
Data Breach Notification" (article 33 and 34) to the relevant control authority and relevant persons.
GDPR - What are the impacts for the company?
The GDPR has a major impact on the whole life cycle of personal data.
This therefore requires the governance of data and the control of Business processes and related data.
Generally speaking, the impact of GDPR is major and requires the implementation of a general transformation approach based on 8 points:
- Data strategy: The aim is to define a data strategy and create value with respect to GDPR by collecting and enhancing data with a clear and transparent purpose (Data Centric approach).
- Data governance, directives and culture: Governance, promoted by top management, is indispensable in order to put the whole company in the right direction and ensure optimal supervision of the implementation.
This approach will be initiated by the definition of principles and directives linked to the GDPR, a code of conduct on the management of personal data, awareness of all players and their involvement from the start of the steering of cultural change.
- Organisation, resources and skills: This general transformation approach must be steered and coordinated by the DPO. The involvement of the Processing manager(s) and other key players must be guaranteed (legal, RSSI, Business process managers, etc...). It imposes clear definition of their roles and missions, their positioning and their responsibilities, through genuine collaborative management to guarantee consistency and complementarity of players. Their skills upgrade must be guaranteed through training and support;
- Business processes: Compliance with the GDPR starts with the mastery of Business processes, ideally steered by process managers. The implementation of records of processing activity and the setting up of DPIA on sensitive treatments will control risks as well as provide transparency with respect to the CNIL. The integration of the concept of processing, access controls, security rules and GDPR rules (Privacy by Design, Security by Design) will be performed in compliance with the directives and codes of conduct relating to the processing of personal data. The integration of personal data, handled by the new process or treatment, will also be covered by activities and citizens rights management applications.
- GDPR activities: All activities relating to GDPR need to be defined and deployed whether for the management of rights by the citizen (consultation, erasure, transfer) or operational steering of the approach within the Company (follow-up of GDPR activities and risk management, reviews, audits and controls, followed by subcontractors, reporting, communication, alert management, etc.).
- Data and information management: A general mapping of personal data, their structuring and storage conditions will guarantee implementation of the Business process and consistent processing. Internal information covers communication as well as follow-up and steering indicators on the GDPR project in the Company. External information addresses citizens on their rights and personal data managed by the Company and any incidents and also addresses the relevant authorities (CNIL).
- Technical implementation: The architecture of the Company's IT system must allow integration of the GDPR's requirements Data Centric architecture will facilitate this adaptation. The development of applications is also indispensable for optimal management of the relationship with citizens and their rights (information, modification, transfer, erasure, etc.). The major risk is a rush of requests, very concentrated at the beginning, and the Company's inability to respond within the deadlines. The use of tools, many of which remain to be developed, needs to facilitate the performance of automated technical audits (code audit, Web or smartphone applications test, etc.).
- Legal: Strong involvement of the legal director and their team is needed to coordinate, control and validate actions on the legal level linked to the GDPR and contracts with partners and subcontractors.
Legal monitoring is indispensable, reinforced by the support of an external specialised legal advisor, especially at the start.
GDPR - An opportunity to create sustainable value for the company?
The European legislator would have been content to define citizens' rights in terms of personal data and sanctions for Companies that do not apply these obligations.
It has understood that the successful enforcement of this regulation required the implementation of important sanctions, but also strong incentive to implement best practices in governance and personal data management which would also naturally apply to other data handled.
Within this framework, it has formalised the mandatory implementation of these best practices in articles to guarantee minimal maturity of the Companies These best practices aim to:
- Consolidate or develop a mapping of processing activities and personal data and better assess risks (record of processing activities, DPIA, etc.).
- Develop and organise a Corporate approach (top management involvement, DPO, empowerment of players, governance, transformation plan, etc.)
- Improve the Company's "Data" culture (awareness of everyone, code of conduct, etc.)
- Improve the concept of treatments and related applications (Privacy by Design, etc.)
- Improve Security (Security by Design, access, confidentiality, etc.) and related controls
- Improve the mastery of subcontractors
- Improve supervision, reviews and internal controls
Within the framework of a generalisation of "Data Centric" approaches, these best practices become pillars of digital transformation of Companies:
- They will contribute to the improvement of data governance and culture
- They will facilitate risk control, data quality and data security and control.
- They will be a vehicle for the optimisation of technical and human resources, by developing skills on the subject
In the end, this approach will actively contribute to the creation of sustainable value for the Company:
- By better performance of processing activity
- By better knowledge of one's data, and the development of new value-creating strategies
- By transparent and responsible customer communication, a vehicle for a trusting and sustainable relationship