Nearly 6 months after the adoption of the General Data Protection Regulation (GDPR) was announced, companies (law and consulting firms) are working on the issue of conforming their practices to this text in view of the May 2018 deadline (the target date to put in place the measures imposed by the GDPR). Bear in mind that the GDPR is proposing a new personal data protection regulation that is applicable to all European Union member states. For his part, European Data Protection Supervisor (EDPS)1 Giovanni Buttarelli speaks of the GDPR as being “a human rights monument.” Nevertheless, the new regulation—though much written about—has thus far raised more questions than it has answered. After the reading and analysis of the text and the July 2016 meeting organized by the CNIL 2, synergies are coming together, and new steps are being taken in the collective effort to integrate the GDPR into companies at large.
Working groups and best practices
As the new European regulation stipulates, the parties involved in processing and storing personal data are called upon to define and follow codes of conduct. This step (referenced in Article 40) thus specifies that “the existence of codes of conduct may be used as an element by which to demonstrate compliance with the obligations of the controller.”3 They are also encouraged to think about creating approved certification mechanisms (Article 42). These demands thus produced the first working groups, such as those of Régis Delayat (Vice President of CIGREF and AFAI administrator) and Stanislas de Rémur (Vice President of TECH IN France). While many companies are already spearheading their digital transformation and migration towards the Cloud, these working groups are simultaneously going to be important levers for harmonizing best practices and advising companies in their choice of infrastructure (structure and hosting), be it hosted on-site or through an external provider (Cloud).
For its part, the CNIL4 launched its first compliance packs in 2014 for vertical markets according to their specific “data” issues. The CNIL also currently offers a simplified reading of the regulation, which it defines in 3 objectives: reinforce the rights of individuals, empower the actors processing the data (collectors and hosts), and lend credibility to the regulation by implementing the GDPR in all European Union (EU) member states. Failure to comply with these objectives is subject to sanctions that can be up to 4% of a company’s aggregate turnover.
IT procedures and marketing
The road to compliance begins with a meticulous audit of current procedures affecting personal data. In a 2nd phase, working towards ISO certification can help companies improve existing procedures and make them compliant and certified, since the issues raised by the new European regulation can be summarized in 3 major, intrinsically linked themes: tools, procedures, and the question of Cloud hosting. No matter what, companies must conduct a thorough examination of how they process and store data so as to fully understand the different written procedures imposed by the new regulation. The first is addressed in Article 12, which defines the procedures and mechanisms foreseen for the exercise of the rights of the individuals to whom the personal data belongs (rectification, right to be forgotten, etc.). These procedures involve jobs and, incidentally, Human Resources and Marketing services first and foremost, since they manage the personal data entry points, processing, and commitment of customers and prospective customers with the company. The second procedural requirement related to processing personal data in its technological context (hosting, storage, migration, or cybersecurity) concerns the IT department. In fact, Article 32.1.a states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia […] the pseudonymisation and encryption of personal data.”
Encrypting the data
In this context, why has issue of encryption become so prominent? Because the data is now moving, passing from one infrastructure to another, from one terminal to another with no geographic constraints and with a single click. A Sales Engineer Manager at Google, Gabriele Carzaniga understands this when he explains that “Today, digital transformation requires that data be available, accessible, and shareable at any time.” The GDPR did include this aspect in the aforementioned Article 32. Furthermore, disk encryption (although still interesting as part of a classic cybersecurity plan) is not an adequate solution because personal data must be encrypted from the workstation before it leaves the company’s perimeter. Indeed, if the data is encrypted with a key hosted in EU territory, it can be stored anywhere without any difficulty. Moreover, stolen encrypted data is not considered to be a security breach if the decryption key is inaccessible. According to the Global Data Encryption Research5 study forecasting the next 6 years, the average annual growth rate in the data encryption market is expected to increase by 18%, reaching $4 billion in the United States by 2022. According to the study, migration to the Cloud is what would fuel this trend. However, the GDPR is undoubtedly no stranger to it either. The next step is the long-awaited publication of best practices by the EDPS.
1EDPS Newsletter, October 2016: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Newsletters/Newsletter_49_EN.pdf
2 Meeting on the new European regulation, CNIL website: https://www.cnil.fr/fr/consultation-reglement-europeen
4 European Data Protection Regulation. What is changing for professionals, in CNIL: https://www.cnil.fr/fr/reglement-europeen-sur-la-protection-des-donnees-ce-qui-change-pour-les-professionnels
5 Global Data Encryption Research Report forecast 2022, in Market Research Future (MRFR): https://www.marketresearchfuture.com/reports/global-data-encryption-market-research-report-forecast-2022