RGPD: Who is affected by this new European regulation?
The General Data Protection Regulation(GDPR) will come into force on 25 May 2018.
This European regulation establishes and reinforces new obligations regarding the use (i.e. processing) of personal data of European citizens.
What is personal data?
Personal data is data linked to a natural person and which characterises that person. Typically, this includes surname, first name, address, email address, but also date of birth, IP address, etc. In short, any information that can be used to identify a natural person directly or indirectly.
The challenge of the RGPD is to control the processing of this data. By processing, we mean the use of data through an IT service in order to achieve a specific goal.
For example, data may be processed to send a newsletter to all those who have given their consent: the email address (possibly including first and last names) is processed to send the newsletter.
Processing can also involve compiling statistics to get to know customers better using big data tools, with the aim of profiling the customer base.
Finally, we must not forget a case that concerns all companies without exception: payroll management also involves the processing of personal data.
What obligations must be met?
As its name suggests, the regulation concerns the protection to be afforded to personal data. The 88 pages of the regulation set out a framework that must be respected and built upon. We have listed some of the key points below.
Far from listing the technical points to be met, the regulation requires companies to know exactly what data they hold, how it is processed, and by whom and for what purposes.
This means that a data processing register must be kept, providing a reference guide for clearly and quickly identifying the parties involved and the data concerned in the event of a security incident.
The regulation also provides a framework for the behaviour that companies must promote with regard to end-user data, namely greater transparency and accountability.
Of particular note are the obligations to inform users in advance of how long their data will be used, and above all for what purposes, in a precise and explicit manner.
The appointment of a Data Privacy Officer is also essential. He or she is the main architect of compliance with the obligations of the RGPD: responsible for impact analyses, point of contact with end users and the authorities, he or she is the keystone of RGPD compliance.
This guarantor of the RGPD can be common to several companies, particularly in the same sector of activity: the DPO can thus be a force for proposal to guarantee the security of personal data within different departments, but offering the same protection for the personal data processed.
Finally, through the DPO, companies will have to notify the competent authorities of any data leaks within a maximum of 72 hours of becoming aware of them. The obligation to inform users whose information has been leaked is also set out, and must be accompanied by the means implemented to remedy the problem.
Who is affected by this regulation?
This regulation applies to companies that process the data of European citizens or individuals on European territory. These obligations apply to any company operating in Europe, and therefore naturally to all companies established in Europe.
Lastly, the RGPD also applies to companies established abroad but processing personal data on behalf of European companies.
So there is no difference between publishers and user companies: the same concern for the protection of personal data applies to both types of company.
Deterrent penalties
Compliance with this regulation must become a key part of corporate strategy: if companies fail to take the obligations of this regulation seriously and effectively into account, the penalties are severe.
Penalties for simple breaches can be up to 2% of the company's turnover (in the case of a company belonging to an international group, this is 2% of the group's turnover) or up to €10 million.
In the case of serious misconduct, the penalty is doubled. In all cases, the higher amount is retained.
Beyond the financial damage, the repercussions will be greatest in terms of the image of the offending company. Because the aim of this regulation is not to punish data leakage, but to prevent risky behaviour by companies with little regard for personal data.
Publishers and users, the same battle?
If they have to satisfy the same need to protect personal data, there is a common lever: these obligations represent an opportunity.
The regulation was designed to enable all users of a service to regain control over data that is communicated fairly easily and processed with little regard for its purpose.
This opens the door for companies and publishers who so wish to project a respectful and honest image by promoting the ethical handling of personal data.
To do this, they should anticipate the obligations of the RGPD by offering users, for example:
- Take control of their data and how it is used, by clearly and precisely listing the various processing operations, with the option of opting in.
- Portability of their data by exporting it in a standard format (csv, rtf, etc.).
- Clearly and simply delete their data from a dedicated space.
- Have a dedicated point of contact for any queries about data processing.
For a publisher, the added value will consist in positioning itself as a facilitator, and giving its customers the means to take an active role in the following areas in particular:
- Data control (location, ability to mask/encrypt, etc.).
- Communication in the event of an incident.
- Transparency with regard to access and the means of protection implemented.
- The presence of a dedicated contact point for any questions relating to data confidentiality and processing.
A race already in the final sprint
The RGPD comes into force tomorrow. To ensure compliance with the obligations set out in this regulation, it is essential to get to grips with it now, and to anticipate the efforts required.
Knowing and controlling your data assets is an intense task, which must be carried out by business teams whose concerns are far removed from these issues.
All the players involved must cooperate and coordinate to ensure compliance with the RGPD: getting to grips with the profound challenges of this regulation is a real opportunity to offer differentiating value, in a data-related context that is undergoing lasting change.