Data protection: is there a new sheriff in town?
In the beginning, there were personal data being digitalized, accessible form everywhere by everyone. The new frontier, will, as always, generate abusive behaviours. Not long after, come threats and data breaches - such as ransomware or security breaches. Some are not brought to the attention of the public and the authorities, some are with delay... To deal with those security issues, once again the European Commission has turned into a shield to protect the people, as it had done it with MiFID II, IDD, PRIIPs, PSD2, etc. There’s a new sheriff in town as goes the saying!
GDPR, the european legislative response
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force with a significant novelty compared to previous regulations: all companies are concerned, for all categories of data subjects. The GAFAs’ sector is obviously a target, but so are service and industrial companies, be they international or local! As for the data subjects, if customers and employees naturally come to mind, the GDPR also aims at protecting personal data of prospects, former employees, candidates, legal representatives etc.
… with means to match its ambitions!
What are the purposes of this regulation?
To strengthen data subjects’ rights, of course, but also to make organisations more responsible, including subcontractors, and finally to standardise practices within the European Union.
What about the means?
Administrative penalties incurred in case of data breaches can go up to 4% of worldwide group turnover (or € 20 million for non-profit organisations). In comparison, in France the maximum penalty amount in case of personal data violation was set at € 150,000!
All right then, but banks are already protecting data!
Yes. And at first, the gap does not seem to be that large (in France at least): GDPR is based at 90% on the French law “Informatics and freedom” from 1978. Lucky us! However, a closer look reveals a not so ideal situation considering the main tasks to complete:
respecting data subject’s rights, setting up security measures and adapting organisations around the Data Protection Officer (DPO) to state the obvious!
So, it's all good?
Not so fast!
The GDPR covers different rights: the rights of access, opposition, rectification, limitation of processing, the right to be forgotten and the new right to data portability. If the first rights are generally respected (access, limitation, opposition, limitation), organisations mostly deal with them with manual procedures: the approach is then to ensure processing are documented and to evaluate the relevance of automating (in part?) some of them, depending on observed and anticipated volumes. No big deal, actually, even if the right of access might turn out to be complex to implement considering the scope of personal data to be communicated to the data subject.
What's the catch, then?
Well, respecting the right to be forgotten and the right to data portability certainly raises deep IT issues. If you ask a CIO to purge his databases, he will probably refer to the non-existence of the data repository, to the IS legacy, to the lack of control over data propagation and interdependencies between the different bases, to the systemic risk on the IS etc. Organisations have to analyse this thorny issue carefully and take the time to identify possible strategies.
The regulation indeed includes the right to be forgotten, which anonymization (not to be confused with pseudonymization) can help to reach, so does containerisation (or data segregation) at some points etc.
As for the right to data portability, it is problematical because the scope of data that could be transferred is not defined yet!
And what about data protection and cybersecurity?
Security measures should be easier to implement... for companies of a certain size. These companies usually have CISOs (Chief Information Security Officer), who are structurally concerned by data protection in general, not only by personal data protection. Some companies also have the status of Outsourced Essential Service Providers and are therefore already well equipped, particularly in terms of fighting cybercrime, among IT risks. Risks assessments will have to be more thorough but that should do it!
What's left to do?
Finally, companies have to adapt their organisation around the DPO, a task that could include all other requirements of the regulation: GDPR governance; obligation of information; formalisation of privacy by design & by default methodologies; processors risks; update of standards, procedures, control plans and training. Those topics must be developed, but not from scratch: the existing organisation can be enriched to turn GDPR compliant.
So, then, it's all good?
Not even close, but you got to take a documented risk approach. Why documented? In the event of a control by the Supervisory Authority, the company must be able to prove that its compliance roadmap is clearly defined and that the necessary resources are allocated, in order to justify the compliance horizons observed on the market: May 2018, end of 2018 and end of 2019.
If you’re small, they’ll play nice, but if you’re big, well… buckle up!