The new European regulation (aka GDPR) imposes on organizations of all sizes the respect of two major obligations : the protection of the personal data they possess on individuals (customers, prospects, partners…) and the respect of their rights (processing type, legitimate interest, access, rectification, erasure…).
If the second item (namely the individuals' rights) ultimately results from a rational and justified data collection in most cases (legitimate purpose processing), the sole « marketing » motive is going to get punished by these new rules, consent, so far presumed (for example in website cookies), now becoming a requirement (double « opt-in » imposed on forms). You won't be able to collect everything on anyone any more and each information request will have to be justified. Furthermore, the concerned individual will have a right of inspection all along their data's lifecycle inside the organization. Enough to upset the functioning of many e-commerce websites, among other firms.
The first item, on the other hand, will create a serious questioning for the various departments collecting and using personal data on a grand scale. As a matter of fact, data protection is going to get more complicated :
- for accessing « production » data : the rise of cyberattacks and other data breaches however represents a threat which is real and likely enough to happen, thus motivating the need for constantly updated security protocols.
- for data utilizations outside « production », such as transfers, copies inside the enterprise (or towards subcontractors), which is generally an environment lacking security.
What specifically is personal data ?
According to the regulation « any information relating to a natural person (data subject) », data or a dataset allowing the identification (or re-identification) of a person.
The European regulation defines different levels of sensitivity according to the type of data : general data, health data, biometrics, etc. Holding data classified in strong sensitivities requires the establishment of specific risk studies for the rights of data subjects (P.I.A. : Privacy Impact Assessment).
There are multiple reasons for data collection and multiple utilizations of this data. Each department of the organization has specific needs (invoicing, marketing, contracts, analysis...) and it's not about putting constraints on business productivity, but rather about empowering everyone (users) in order to protect the digital existence of the ones being « used ».
Since the processing of data naturally includes the processing of personal data, this is where compliance with the European regulation imposes itself.
Do you already have your DPO ?
As a reminder, any public body or any company processing data on a large scale must appoint a data protection officer who will be responsible starting from May 25, 2018 towards customers for the respect of their rights. This DPO will :
- have an exhaustive view of all personal data managed by the company
- inform and transmit to data subjects all the data regarding them
- answer data subjects' requests for data modification or erasure
- ensure the legality of the data collected by the company
The DPO will have the right of review on protection mechanisms and on processing legitimacy. He or she will be the contact person for customers with inquiries about their personal data and also for the national supervisory authority (CNIL in France, Commission Vie privée in Belgium…).
GDPR is a major challenge for all organizations based in Europe; treated with intelligence, the new regulation is an undeniable opportunity for anyone who wants to profit from it.
Rever has developed several tools intended to help with GDPR compliance, including one solution elaborated with our partner ActeCil.