On the occasion of the 23 rd edition of Hungary WhatsApp Number List fair on March 29-30, experts in corporate data management spoke about the GDPR, the new general data protection regulation. At a time when the use of data is at the heart of companies’ concerns, the majority of them are far from having adopted the standards that will be mandatory when they come into force on May 25, 2018. The GDPR, quésaco? The GDPR, or General Data Protection Regulation, will come into force on May 25, 2018 in all member states of the European Union. It is the result of long years of negotiations and comes in the form of 99 articles introduced by 173 recitals. It should allow Europe to adapt to the new digital realities and aims to give citizens back control over their personal data.
It therefore induces new obligations for companies which must operate major internal projects to meet the new standards. Céline Avignon, lawyer at the firm Alain Bensoussan, lists the key principles of the GDPR: Data protection should be done from the design of a project with the consent (or not) of individuals. There should be protection by default and minimize the collection of information only to what is essential. Among the 20 projects that companies must undertake to comply with the GDPR, we find the obligation to change general policy, the appointment of the DPO (Data Protection Officer), governance in terms of personal data, the establishment of registers, contracts and mandatory notices, protection by design, data retention period, protection by default, accountability (the fact of proving data compliance) … Read also The job of data protection officer The main risks Companies that oppose this change or that are reluctant to comply with the rules face several penalties.
The Gdpr, Quésaco?
Not only the damage to the image of their company but also the loss of customer confidence and therefore of opportunities. And for those who would not stop, by not complying with the rules of the GDPR they expose themselves to heavy financial penalties up to the percentage of turnover. “Applying GDPR will not slow down business, it will create opportunities for marketing. The GDPR is a bit like competition law, everyone thought it would do business a disservice, and in fact it caused the opposite, ” adds Céline Avignon. Sophie Nerbonne, Deputy Director of Legal and International Affairs and Expertise at the CNIL, adds that “many formalities with the CNIL will disappear. In return, corporate responsibility will be strengthened. They will indeed have to ensure optimal data protection at all times and be able to demonstrate this by documenting their compliance. ”
Where are the companies at? This is the question answered by Alain Le Bras, the President of Arondor (Arondor specializes in the management of unstructured data) by revealing the results of the SERDA survey. Carried out with several large companies, it aims to question the market, assess uncertainties and knowledge of financial and image issues. And the results speak for themselves: 45% of those questioned are still unaware of the new European regulation. For insiders, only 24% measure the impact. Finally, 76% of the sample does not even have an idea of the impact of the regulation. There is therefore “a long way to go”as Alain Le Bras expresses it. When asked about the sanctions that scare them the most, a third agree that it is the financial sanction, then the lack of image that weighs them most. So why don’t they get up to speed?
Where Are The Companies At?
29% answer that they lack information, 26% believe that they lack mobilization in terms of staff, time and resources. In conclusion: if 28% of the panel is aware of GDPR, 87% of organizations will not be ready in May 2018 because almost half have not yet planned anything. There is still a long way to go for all organizations and a culture change to take place on all levels. “Today when we talk about data we talk about valuation, tomorrow we will have to think about protection” concludes Alain le bras. What impact on the architecture of information systems? Sophie Bouteiller, Mission Director and responsible for partnerships at CIGREF (Association of large French companies using digital technologies independent of suppliers) tells us that article 37 of the GDPR requires the appointment of a data protection officer
(DPO) in all large companies (banks, insurance companies, companies with sensitive data such as healthcare, public service companies). The core activities of the controller require regular and systematic monitoring on a large scale. This processing must be carried out by a public authority or a public body. The G29, in its guidelines adopted on December 16, 2016, also recommended the appointment of a DPO. This is the pilot, pivot, actor in the implementation of the GDPR. It builds up an internal and external network, ensures the lawfulness of processing and minimizes the collection of personal data. Different from the Data Officer, he deals with accountability, privacy by design (respect for data protection from the design stage) and security by default. It is also he who is in charge of declaring any breach of personal data.