The General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens and any non-compliance could cost them dearly. For those who are still unfamiliar with this, take a look at the infographic below. It shall give you a basic understanding of GDPR and its aspects.
What is next after the main GDPR compliance procedures? What actions can be taken in the medium and long term? Should we wait for the laws for specific cases or scenarios?
Here, we will see some recommendation from experts.
As of May 25th, 2018, the main provisions have been implemented to comply with the new GDPR regulation. Any new action must be compliant from the design stage and properly protected.
However, there will still be a lot to do. When the main requirements have been treated as a priority, we must take the right steps to be compliant to avoid the risk of being exposed to sanctions and fines. The regulation requires organizations to have a permanent DPO (data protection officer). It is a part of the continuous improvement process. Brands must continue implementation of new procedures. It can be real IT projects or programs to engage on traditional delays of 6 to 18 months which has been observed by many experts.
In the Face of the Risks Of Collective Actions
Nobody knows exactly what actions and what control will be exercised by the regulators. On the other hand, it is clear that organizations will be exposed to class actions by users, customers or consumers.
Among the medium and long-term, the right of access (with rectification, opposition and deletion) and the right to portability must be prioritized to allow interested parties to retrieve an electronically transmittable file to a third party, typically in case of change of provider.
The information / communication component can also be an important program. In particular, transparency is vital. For example, if I give my personal details for specific service; there is no question of using them for another purpose.
Therefore, it is important to ensure that the modalities of data collection are fair, lawful and transparent. If applicable for back-office processing in “near-shore” or “off-shore”, (e.g. consultation or troubleshooting centers in South-East Asia), it must be disclosed that the data will be shared with data partners outside of the EU.
Opportunities and Revision of Its Digital Strategy
The new regulation can open real commercial opportunities:
“If one is positive, this overlay of regulatory constraints can turn into a gold mine”.
By putting themselves in order, companies will be able to communicate their competitive strengths to their customers. They may, declare that they do not monetize the use of personal data or do so in their interest of earning their trust. For instance, the choice of point of sale or the points of contacts who have chosen the service.
Such an approach encourages creating or at least reconsidering its digital strategy. It leads to restructuring the processing of databases, including private data. For an instance, it shows that:
“Not only do I respect the regulation in the eyes of my users or customers, but I propose to them, by being transparent, to take advantage of them to improve the service”.
Principle of Responsibility
This transparent approach is more appropriate for all the major groups. The principle of responsibility lies between subcontractors, the collector and data holder (and never the “owner” because the data remains the property of the people). The data collector is responsible for making sure subcontractors abide by their rules.
Advance on the Legal and Informatics
You have to be pragmatic. You need to intervene on the legal, technical as well as other aspect of the data. There are tools, such as the DPPS (Data Protection Impact Assessment) that not only lets you facilitate various tasks but also codes of conduct and good practice guides such as the ICO (UK).
The mapping of personal data, in files or application, can involve a hundred of actions. It is therefore a good idea to design a prioritization plan based on the nature and sensitivity of the data.
The implementation of safety and traceability procedures is also, in itself, a process of continuous improvement.
It is thus a good idea to carry out diagnostics or compliance audits of the company. You can then act on ad hoc events on the basis of on the impact assessment. On some aspects, it may be appropriate to resort to some support.
The Limits of Encryption
Encryption is recommended upstream, especially in the case of payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organizations. It can take a long time and may be heavy for historical bases of great volume try and little information (like recipient files of a newsletter). It is not recommended systematically as this may be disproportionate in some contexts.
Minimization, Anonymization and Pseudonymization
Applying the minimization principle makes it possible to expose less data by collecting only the data that are really useful and necessary in the context of the stated purpose.
We must not focus on technical mapping, but on identification, the right to identity in a limited space, and qualification. “Can we hold these data? Yes, if we cannot do otherwise”.
Anonymization, which is irreversible, is a good approach under the law. If it is necessary to establish a strong confidentiality agreement, the pseudo-anonymization (which allows going back) remains debatable, even if it is legally valid. But again, the processes are tedious and expensive if they are done afterwards.
Right to Information and Erasure
The right to information, which is also the right to question, must also, remain a concern, “in a proactive dynamic manner”.
The obligation to delete or purge raises the question of how long data should be kept, which depends on their nature and on contractual commitments or general conditions. So, there is an impact on the action. This chapter also raises questions about the duty of memory, the right to history, but also refers to the freedom of the press, which aims to preserve the memory of the facts.
In the Long Term, Jurisprudence and Readjustments
In the balance sheet, the compliance with the GDPR is a continuous process. The GDPR regulation, it is an inflation of articles, twenty more, compared to the law of 1978, that is to say 99 articles, which are introduced by 173 ‘recitals’ with as many possible interpretations. Though, nothing is clear enough, but the litigation cases will focus on certain points.
Finally, we note that the stakes are global and frontal. The legal principle is the most important part of GDPR, however, it is not a question of freedom but of dignity, and the respect for the dignity of the people.
GDPR Compliance is an Evolving Challenge Since May 25
The GDPR is one of the biggest changes affecting everyone that does business in the EU. Organizations must monitor developments and respond to challenges as new information arises. Since the details are still being ironed out, there will be a number of new developments to focus on in the future.