GDPR, 5 major transformation axes for companies
The General Data Protection Regulation (GDPR) is the new European regulation aimed at strengthening the protection of personal data, which will change the governance of data within companies. Entered into force in May 2016, it will be applicable in 2018.
The main objective is "to harmonize the protection [...] of natural persons with regard to processing activities and to ensure the free movement of personal data between Member States". The GDPR will therefore have a direct impact on companies processing personal data, but also on clients who will regain control over their data.
For companies, the application of this new regulation will require them to be transparent with their clients about the use of collected data, to adopt a new data protection policy, and to review everyone's roles internally.
The text has three objectives: to consolidate the rights of natural persons, to strengthen the powers of European authorities, and to hold accountable the companies that process personal data.
The DPO, or Data Protection Officer
Companies and institutions processing personal data on a large scale will need to recruit a Data Protection Officer (DPO), whose main task will be to ensure the protection of personal data.
The employer or their client complies with the legislation as soon as they use the collected data for commercial or internal purposes (HR software). They must therefore have a 360° view of the use of personal data, a transversal role that leads them to work with all departments of a company (general management, marketing, development, or human resources).
To this end, the DPO must be involved from the beginning of the project, mapping personal data and processing processes while recommending an appropriate security and privacy policy. To never be in the dark and risk a violation, the DPO must periodically verify the compliance of the company (or its client) with the use of personal data by undertaking impact, risk, and intrusion analysis actions to warn the interested party of a possible violation of the GDPR.
Playing the transparency card
Collecting and processing personal data requires total transparency. Companies will need to explicitly inform individuals about the use made of their data, which they may then refuse. Indeed, the pre-checked box stating that the user accepts the collection and processing of their personal data for commercial purposes will be prohibited, and the user will then have to check "yes" or "no". Institutions will also have to inform consumers of any breach or theft of this data when such a breach is likely to create a high risk to the rights and freedoms of natural persons so that they can take the necessary precautions.
Accountability, a fundamental principle of the European pact, involves holding companies accountable, which must be able to prove at all times that they comply with laws relating to the protection of personal data by providing detailed documentation.
Protection of personal data
Moreover, companies will be prohibited from transferring the personal data of an EU citizen outside of Europe, thus requiring them to stop using the services of foreign companies (American, Asian, etc.). This is true whether the company is established in Europe or not, as the GDPR applies to all companies processing the personal data of EU citizens and operating in this market.
It will also be more difficult for companies to collect data from minors as they will need to use simple and understandable language for those under 18, so that they can no longer be confused about the final use of their data. Additionally, the consent of a parent or legal guardian will be required to validate the collection and processing of a minor's personal data. To ensure that this data protection concept is respected, stakeholders must natively integrate the security standards implemented throughout the data life cycle into the solutions, applications (CRM, ERP, MDM, etc.), and "cloud service providers".
