RGPD audit: combining business with pleasure
The RGPD is the embodiment of many fantasies: disproportionate new obligations, an overhaul of the organisation, prohibitive penalties, and so on. But what about you? Are you already ready to manage the RGPD without knowing it?
A very brief reminder
Without going into too much detail on the subject, the General Data Protection Regulation (GDPR) will come into force on 28 May.
Its transposition into French law is currently being debated in Parliament, but the main obligations are set in stone.
Personal data is data that directly or indirectly identifies an individual. Last name, first name, personal or professional email address, physical address, telephone number, etc. It also includes all the metadata linked to the use of various online services or electronic exchanges.
With the aim of regulating the use of personal data, the RGPD lays down a number of obligations regarding the collection and processing of personal data.
These include, but are not limited to, the explicit consent of the user for each processing operation (and proof of consent), data retention periods, and the right to modify/delete/port data.
Other obligations have been laid down for companies, over and above their direct relationship with users and customers:
- the appointment of a Data Protection Officer,
- keeping a data processing register
- joint responsibility for processing with subcontractors
- etc.
Last but not least, the 'privacy-by-default' approach to the roll-out of new services has become sacrosanct, companies are required to secure data in relation to the risks to people's rights and freedoms, and companies can organise their own best practices through codes of conduct.
In short, there are many elements that cover both technical and organisational aspects and that go well beyond the field of cyber-security, reinforcing the apparent complexity of this regulation.
Gnothi seauton
No, it's not a swear word, it's ancient Greek. Thales, Pythagoras, Heraclitus and Socrates all attributed the aphorism "Gnothi seauton", which means "Know thyself".
For those who prefer a more modern reference, the Matrix film produced by the Wachowskis popularised "Temet Nosce", the Latin translation of the preceding Greek phrase.
This maxim sums up the approach to RGPD compliance: to draw up an action plan, you first need to measure how far you are from your goal. An initial audit allows you to take stock of the efforts already in place and the ways in which things are done.
This audit is essential to prepare for the changes that will follow: over and above the technical measures, the main impact of the RGPD is to make the use of data more accountable, and this applies exclusively to the human data controller.
This initial audit is far from being an end in itself; in fact, the opposite is true. Rather than freezing a situation, it marks the starting line for the race that is compliance with the RGPD (the distance of which will be more or less long depending on what the audit brings to light).
This audit must not remain an analysis lost among the other documents on an untidy desk. On the contrary, it must be translated into a roadmap, with clearly identified actions, concrete deliverables and a more global vision of how these actions fit together to achieve compliance with the RGPD.
The use of a partner with expertise in the subject in question can be an initial response to RGPD compliance: this point of contact and expertise will be able to unite the company's energies around a common challenge and cross-disciplinary skills: legal, IS, marketing, purchasing, etc.
Learning by doing
The initial audit enables us to draw up an initial assessment of what is happening, but above all to build an action plan to develop the organisations, processes and tools in place.
The aim is not to fall victim to new regulations, but to take advantage of a new way of doing things to refine and optimise processes, and new ways of doing things to generate different and differentiating value for end users.
To achieve this, it is essential to involve the company's internal stakeholders: the legal department cannot be the sole guarantor of compliance. This is a cross-functional issue, and depends profoundly on everyone's working methods.
Yes, ways of working will be impacted by these regulations; changes in working methods will be imposed globally on everyone, with a new way of approaching the use of personal data.
This includes the relationship with subcontractors, who are more than ever essential stakeholders in this process. With the system of joint responsibility established between the data controller (= the client company) and the processor, it is no longer possible to unbalance the relationship in favour of one or other of the parties.
The relationship with the processor is all the more important as it is often linked to the use of certain key areas of expertise when it comes to processing personal data: statistical analyses using Big Data, HR processing, marketing campaigns, etc.
Involving the subcontractor in RGPD compliance efforts therefore makes it possible to strengthen the overall security of personal data processing.
By aiming for continuous improvement, through more or less formal points, everyone can become a player in RGPD compliance by taking ownership of the points identified during the audit. We need to create value by bringing people together in a common project that is binding on everyone, and that transforms practices.
And what about the finishing line?
The first thing to clarify is that there is no such thing as "RGPD Certification". What is planned instead is certification of compliance with codes of conduct, offered not by the CNIL and its European equivalents, but by companies and business associations.
As there is no "official RGPD certification", it is necessary for each company to build its own certification, which will serve as an "internal code" for the processing of personal data.
This "internal code" must have been considered at an early stage, on the basis of the initial audit and the business needs identified: it constitutes the internal reference framework for the use of personal data.
The creation of this code will serve multiple purposes:
- It will ensure consistency in the use of personal data (data collected, collection methods, consent, requirements for the processor, retention period, etc.);
- It will serve as a reference for working with subcontractors;
- It will serve as a target for checking that the objectives identified during the initial audit have been met.
This "internal code" needs to be checked against reality by carrying out a second, more formal audit, closer to reality. The scope of this new audit then goes beyond the internal framework, and must concern all the stakeholders who were initially identified.
Considering the purposes of this "internal code", it must not focus solely on broad general principles, or vague designations: it must frame expectations in a non-equivocal way, particularly with regard to the use of specific techniques to guarantee the confidentiality of personal data (encryption algorithm for example, but also the types of acceptable multi-factor authentication, etc.).
The aim is to identify areas for improvement, because it is essential to bear in mind that RGPD compliance will not be achieved overnight.
What's more, you need to bear in mind that the scope of the RGPD within your company will be constantly evolving (new processing operations, addition and deletion of applications, etc.).
How does the audit work in practice?
The keystone of this system is a critical, objective and benevolent eye that provides you with added value.
You can have this eye in-house - and that's an excellent thing - which can be embodied by your Data Protection Correspondent / future Data Protection Officer.
However, this situation is not widespread, and is more the exception than the rule.
In all cases, we need to go beyond the traditional notion of an audit that points out bad behaviour, and move towards a more global approach that takes into account :
- Your business context - all the more important in view of the RGPD ;
- Your business context;
- Your IT context;
- Your human context.
Nuageo, through GDPReady, can support you in this move towards the RGPD:
- we provide a cross-functional vision of your contexts in the light of the challenges of the RGPD,
- we propose a roadmap,
- we support you in managing and achieving the objectives of this roadmap, which goes beyond purely legal or technical issues.
The real challenge is to give you the means to deliver the added value you need for your business while respecting the confidentiality of personal data.
Article written by Alexis Quentrec, RGPD specialist at Nuageo, Cloud Computing Consultancy.
Article translated from French