We are currently experiencing an incredible surge in the value of personal data. By 2020, its capitalization could be worth €1 trillion per year (source: Boston Consulting Group). Not to mention the business and marketing challenges it poses, as well as the malicious acts it could provoke. Protecting it is therefore essential.

The main changes in the GDPR

Today, each European state has an authority responsible for the protection of personal data, which has defined a legislative framework for the use of personal data to a greater or lesser extent. In France, the CNIL is responsible for enforcing the Data Protection Act of January 6, 1978. This legislative framework defines the principles to be applied when collecting, processing, and storing such data.

The current directive dates back to 1995 and did not anticipate the rise of the Internet, big data, the cloud, or the mass collection of personal data.

The European General Data Protection Regulation (GDPR) aims to standardize data protection within the European Union and update European law to protect European citizens against the fraudulent use of their personal data.
In addition, this regulation provides for an increase in financial penalties, up to 4% of global turnover, and clearly demonstrates a stronger commitment to enforcing best practices in terms of data protection.

The implementation of this regulation for all global companies handling the personal data of European citizens is set for May 25, 2018. This is an important point and a complete reversal in that it is no longer the company or the data holder that is considered, but the European citizen whose data is held and for whom the holding company must prove its security. The GDPR therefore restores ownership of data to citizens and no longer to companies.

The steps to successful compliance

Companies that have not already done so will first need to appoint a Data Protection Officer (DPO), who will be responsible for ensuring proper implementation of the GDPR. They will also need to conduct an audit to assess the current state of personal data security and define a roadmap.

The recommended comprehensive approach follows a pragmatic approach to organizing your compliance plan:

1. Create a map identifying precisely all personal data processing operations (Where is the data located? Who is responsible for the application? How is the data protected? Etc.)
2. Analyze the gap with all GDPR requirements
3. Define and prioritize corrective measures and projects to be implemented
4. Reorganize project management processes by integrating a Privacy by Design approach

Of course, each company will have its own issues:

• How can the large amounts of data processed by big data in the banking sector be managed?
• How can data be anonymized for statistical calculations by insurers? Once the data has been anonymized, how can a customer's request to exercise their right to be forgotten or to data portability be met?
• Can a company that has resolutely adopted DevOps guarantee the security of data that is sometimes replicated in uncontrolled development environments?
• Some companies have also succumbed to the temptations of the cloud: how can they now guarantee the security of their data, which they no longer have complete control over?

Each case will require tailored solutions. For example, when outsourcing data to the cloud, the customer may request the implementation of a Security Assurance Plan, include reversibility clauses and location clauses in the contract, and audit suppliers.

The DPO and their responsibilities

Faced with this diversity, the DPO will have to adapt and compose their own score, drawing on technical, organizational, and legal instruments. They will also have to demonstrate true leadership in order to implement cross-functional governance on data protection.

With regard to the authorities' policy, it is highly likely that, faced with this diversity and very heterogeneous levels of maturity, they will have to adopt a pragmatic approach in order to first verify whether a process has been initiated and that all the requirements of the regulation have been taken into account.

More specifically, a company that has outsourced its HR data without encrypting it or establishing a Security Assurance Plan should not be financially penalized but will instead be given recommendations to implement. Controls and penalties are likely to be less lenient for companies that have already leaked large amounts of personal data or based their business model on data from citizens who have not given their clear consent.