GDPR – General Data Protection Regulation – is a new European regulation that will take effect in May 2018.
Designed to protect the personal information of citizens and consumers, this new regulatory framework has major impacts on businesses, which will need to adapt quickly.
New obligations
The new requirements for companies cover four main areas:
- Obligation to maintain a register of personal data, which will replace the current declaration , but with a reversal of the burden of proof: until now, the regulation authority had to demonstrate any failures to meet requirements, and the stakeholder responsible for processing the data had time to remedy their situation. In the future, it will be up to the company to demonstrate that it is in compliance.
- Introduction of the principle of portability of personal data, for data transmitted voluntarily by a natural person or collected as a result of their activity. Such data is subject to appropriation by its owner, who has the right to demand its transfer or restitution. Companies will need to inform the people concerned of the existence of this right, and specify the type of data that is subject to transfer.
- “Privacy by design”: this concept requires taking privacy into account from the very design of an information system, database or application. An insufficiently secure application would therefore not be compliant. Companies must aim for the highest possible bar in terms of protecting privacy. Every time they initiate a processing procedure, they must obtain explicit and specific consent (opt-in) from the user.
- Obligation to notify the authorities in case of violation of personal data. Companies, via their IT and personal data processing managers, will have to alert the CNIL rapidly if personal data is compromised. They will if possible make a formal declaration within 72 hours of learning of fraudulent access to vulnerable personal data.
Risk of substantial sanctions
To guarantee respect for these new requirements, the GDPR provides for heavy penalties against companies who do not comply: for the worst violations, financial penalties can reach €20 million or 4% of annual global revenue, whichever is higher.
It is clear that a €20 million fine could mean the end of an SME, and a loss of 4% of global revenue could push a big multinational into the red.
This means there is no time to lose: companies must plan solutions that will let them guarantee compliance with the GDPR, within a budget framework that take appropriate account of the risks of financial sanctions.
Introducing traceability of access to personal data
Because it will now be up to the company to prove that it has committed no fault, traceability of access to personal data is becoming critical.
“What personal data is consulted or modified, and by whom within the company?” is the question companies will have to be able to answer quickly and fully in case of an inquiry following the discovery of an error or fraud.
And it is the quality of the response to this question that will determine the amount of possible financial sanctions that might be imposed by authorities.
Facilitating Data Portability
Data portability is now mandatory, to allow the consumer to switch from a bank to another, from an insurance company to another, from an energy vendor to another.
With its 360° capabilities, Contextor can easily collect all the data, personal or not, about a specific Customer, from any application or data silo, and put them in a digital package that can be given to the consumer, in order to facilitate its onboarding with the new service provider.
A solution that is easy to deploy
Contextor offers a simple solution, “Contextor GDPR”, to provide a global response at two different levels:
- Deploy a Contextor Interactive module on every desktop that might process personal information, which will have a script to trace every read or write access to sensitive data.
Because it is entirely independent of existing applications, this module makes it possible to supervise access to all personal data, including that processed by older applications or applications external to the company’s IS, which one can not operate. - Using a Contextor Galaxy module on a server, collect all this information for all relevant desktops within the company: this will provide an overview of how the company manipulates the personal data it needs for its business.
Unjustified access to personal data can be immediately detected, and corrective measures put into place very quickly.
With this system, GDPR compliance managers have an efficient tool for monitoring the use of personal data: beyond the procedure books, the algorithm’s exhaustiveness provides incontestable information.
In case of anomaly, the company will be able to prove to authorities that it has taken a global view of the issue and proactively implemented tools and procedures allowing it to ensure compliance with the GDPR.
You have less than 11 months until May 25, 2018, so don’t delay in contacting us to learn more about our “Contextor GDPR” solution.
If you want to get moving quickly, why not implement a pilot project as soon as this fall?