It is the home stretch for many French and European companies. They have until 25 May 2018 to ensure that they comply with the GDPR—the new European data-protection regulation that everyone is talking about. This regulation, adopted in 2016 to improve the protection of citizens and their personal data, implies significant structural and administrative changes for companies.
Ten years of negotiation
In Brussels, management of the personal data of EU citizens has been a subject of discussion for approximately ten years between legislators and lobbyists. It is a delicate matter, as the sale of personal data gathered by companies such as Google, Facebook, Apple and Amazon—which also raises questions on respect for privacy—feeds the highly profitable market of targeted advertising. Within Europe, the big-data sector was worth "around 300 billion euros in 2016 and could reach 430 billion euros in 2020," according to Le Monde. Nevertheless, it wasn't until last year that the rules of 1995 were updated and the General Data Protection Regulation (GDPR) approved by the European Commission and gradually adopted in the EU member states.
The GDPR strengthens the right of citizens to view what is done with their data by imposing the need for a signature as proof of explicit consent, in particular. Every user of a digital service will also be able to recover his or her data to send it from one company to another (or from one social-media site to another, for example) and will only deal with a single interlocutor in the event of a dispute—the National data protection office ("CNIL") in the case of France.
The GDPR represents a real improvement in terms of the protection of European citizens but also massive disruption for companies, which will have to make big changes.
The regulation affects every department within a company
Not every company realizes whether it is even concerned by the GDPR. As highlighted by Émilie Dumérain, the legal-affairs delegate at the trade association, Syntec Numérique, "All companies are potentially affected by the GDPR in so far as they process personal data for HR or CRM purposes. For example, a simple data collection form on a small business website means that the rules of the GDPR apply.” Then, employees in each company department could have to work on making sure that the company is compliant—employees entrusted with data processing as well as employees in the company's administrative departments. New positions will have to be created in large companies: so-called Data Protection Officers (DPO) will be entrusted with monitoring how collected data is processed, where the data is stored and with whom it is shared. "One of the main points concerns Privacy by design," adds Stéphane Prévost, Product Marketing Manager at Stormshield. "It means putting in place a data-protection policy and making sure security is everywhere: at the time data-processing operations are designed, in terms of the data itself, the network, but also the workstations at which those who are responsible for personal data work." Similarly, a company will have to keep a record and log each processing stage to ensure it is compliant, and notify its customers and the CNIL in the event of a security breach. Furthermore, ‘impact-on-privacy studies’ will have to be carried out by companies that handle risky data, particularly when the data concerns the political views, religious beliefs, ethnicity or the sexual orientation of customers.
On paper, these changes appear to be clear. In practice, however, a lot of companies are still struggling to put them in place.
42% of French companies questioned "only recently became aware of" the GDPR
A recent study carried out by IDC France for Syntec Numérique revealed that 42% of French companies "only recently became aware of" the GDPR and that only 9% believe that they currently comply with the regulation. "We organised a number of morning seminars to raise awareness among clients of this subject and sometimes noticed a lack of commitment," reports Stéphane Prévost on his part. "Some firms are already prepared—big companies, for instance—but I think that a lot of small firms have decided to wait and include GDPR compliance in their 2018 budget." Another study, conducted by OnePoll for Citrix, stated that 9% of the large firms questioned are unaware of the systems on which their data is hosted and 8% of large firms do not know for how long data is stored. However, they do not have any choice: aside from receiving a formal notice or being obliged to stop data-processing operations, they risk receiving various penalties and even a fine of between 2% and 4% of their annual global turnover.
It is for this reason that companies that provide data-management and protection services or software are increasingly in demand. "A lot of member companies offer services that are aligned with the GDPR," notes Émilie Dumérain. "For example, one firm has a mapping program which lets the user automatically identify all of the processing operations. Without the program, it would have to be done by hand in a spreadsheet. A program offered by another member lets the user diagnose its situation. Companies can also use tools to implement data portability, for example, and they can seek out consultancy and support services and assistance with prioritising the actions to be taken." Companies still have five months to launch the dreaded procedures necessary to comply with the GDPR.
An article written in cooperation with Usbek & Rica