Digital Transformation Management

Do you comply with the new General Data Protection Regulation (GDPR)?

General Data Protection Regulation (GDPR)
Guillaume PAGE
Written by Guillaume PAGE

internet users are getting very anxious, when it comes to personal data security on the internet. This concern might be justified when you know that the last EU directive has been enacted in 1995. At that time, neither Google, nor Twitter or Facebook existed… The new EU General Data Protection Regulation (GDPR) will come into force in May 2018. What will be the main topics addressed by this act? What are the impacts on your daily business?

The French consumer’s association ACSEL (in charge of the internet sector) recently released a study on the confidence of French consumers in digital. The survey raised the paradox that the majority of people connect on internet on a daily basis (87%), but less and less trust it (37%, minus 3%). The key issue is the use of their personal data on internet.

Among the respondents:

  • 45% are afraid that a third party get access to the personal data
  • 68% worry about the data collection made by search engines.
  • 81% believe that social networks use their personal data. This practice hampers them.

In this context, the “CNIL” (French data protection authorities) recently addressed a public formal notice to Cdiscount. This company is one of the biggest E-commerce websites in France. That’s why, it should strive for exemplary internet security and respect the basic rules of personal data security.

Instead, the CNIL accuses Cdiscount for keeping millions accounts of former customers and prospects in its database without time limitation. To keep data of more than 4 000 bank accounts sometimes with the security code without the mandatory safety. Besides, the CNIL observed the presence of unnecessary comments in judgments about customers. They found the use of cookies without informing the people of their rights and for long periods (30 years), etc…

Companies and customers are disconnected

It looks like there is a big gap between companies’ priorities and customers’ expectations.

According to Symantec’s 2016 report on the “state of European data privacy”, most of European companies believe that their capacity to comply with this new law will not impact their relation with their customers. Therefore, a minority of companies considered this topic as a priority.

However, the 2015 data privacy report of Symantec showed that data security on the internet is a key factor for customers in their deed of purchase (88%).

 

What are the key principles behind the new General Data Protection Regulation (GDRP)?

The General Data Protection Regulation (GDPR) is the next step for the European Union in order to harmonize laws and create a single market. The regulation will apply if you can identify an individual from the data that you own. In case of violation of personal data regulation, companies will have to face fines up to 20 million Euros or 4% of annual worldwide turnover.

Here are some of the key facts:

  • The General Data Protection Regulation (GDPR) reinforce the right of end users. Companies will have to prove that end users gave their consent. They should be able to withdraw it as easily as they gave it.
  • Corporates will have to set internal policies and maintain records of all processing activities related to personal data security (Accountability and privacy by design principle).
  • Some companies will need to appoint a Data Protection Officer to monitor the compliance with the regulation.
  • Companies will have to notify supervisory authority of data breach within 72 hours after having become aware of it.
  • One-stop-shop: Companies will have to deal with the supervisory authority of their home country for Europe, instead of contacting them in each country.
  • Companies established outside from European Union, i.e. GAFA, will have to comply with the EU regulation, as long as they deal with personal data of individuals based in the EU.

 

6 impacts on your daily business

The General Data Protection Regulation (GDPR) will have multiple consequences on your organization. These are a few to start with:

  • Suppliers: The General Data Protection Regulation (GDPR) will impact the relationship with your IT-suppliers. It will require new policies in term of risk assessment and new contractual clauses. SaaS providers, data center, web marketing agency, Adtech companies, E-commerce websites, outsourced HR payroll, etc are potentially concerned.
  • Individuals/ customers: You will need to set up new policies around individual access requests. In case of data breach, company will have to retrieve the data as fast as possible.
  • Internally:
    • To crypt devices to ensure a good level of personal data security in case of lost/ stolen devices.
    • You will need to propose training to your employees to increase the awareness on personal data security and set new internal policies.
    • Your organization will need to review marketing initiatives regarding the consent of your customers for the use of their personal data.
    • To review your insurance contract, to prevent claim from end users on the misuse of their personal data.

 

Conclusion

The new General Data Protection Regulation (GDPR) is an important step for European citizens to regain control on their personal data. To be convinced, companies will need to assess the impact on their brand image and their financial risk. For instance, rating agencies estimate that the cyber risk could represent in future 20% of their whole evaluation.

According to Symantec, it’s anyway a matter of time before the lack of security on personal data on internet slowdowns some parts of the E-business. One person out of three would already give wrong informations, when they are online. More & more companies having a business model based on data, this lack of trust could lead to a systemic risk.

About the author

Guillaume PAGE

Guillaume PAGE