The DPO in 2019: the results are in!

The DPO in 2019: the results are in!

Since May 2018, the General Data Protection Regulations (GDPR) requires companies to assign a “DPO”, or Data Protection Officer within their organization. This new job consists of managing personal data and informing employees of obligations to be respected in regards to the European regulations.

More than a year after the implementation of these regulations, we at Zeenea organized a workshop with DPOs from different business sectors with one idea in mind: How to help them in their GDPR implementation? We would like to share their feedback with you today.

Current Assessment

To better understand Data Protection Officers and their function, let’s assess their current situation.

The tools

Our audience affirms that the applications used are only a means for implementing governance on data.

Enterprises have nevertheless adopted new tools to help DPOs put GDPR in place. These software are considered to be unintuitive and complicated to use. However, some manage to stand out:

Among the DPO’s tools, one of the most appreciated ones is the catalog application, mainly for its macro vision of the exchanges between different apps, and the easy and rapid detection of personal information.

At the same time, data catalogs, one of the most recent tools in the market, are starting to reach the DPO community. Investing in these tools is a strategic choice that some participants have already made. The possibility of informing and historicizing information on data by collecting catalogued company data, has indeed convinced them!

Governance

DPOs are well aware that the efforts must be placed on acculturation and raising employee awareness in order to hope for better results.

The search for governance only aims to help the business side understand and assess the risks on the data they handle. Their energy is thus placed on the implementation of effective management and communication of shared rules so that the company acquires the right reflexes. Because yes, data remains a subject that few employees master in business.

Information systems

The heterogeneity of information systems is a “normal” environment with which DPOs are confronted.

They are thus faced with trying by all means to bring IS into conformity, which very often prove to be complex and costly to update technically.

Internationally

We associate GDPR Data Regulation with DPOs, often forgetting the “the rest of the world”.

Many countries also have their own regulations such as Switzerland and the United States. DPOs are no exception and neither are their companies!

One thing is certain, the scope of the work is gigantic and requires a strong prioritization of subjects. But beyond the priorities linked to urgency, this requires finding the right cursor between meeting compliance standards and meeting business requirements!

The challenges of DPOs for 2020

In light of this previous observation, the workshop concluded with 2020 and its new challenges.

Together with them, we drew up a list of “resolutions” for the new year:

    • Invest more in improving the qualification and requirements for data documentation,
    • Integrate more examples on good practices in the employee awareness phase,
    • Provide precise indicators on the use and purpose of the data in order to predict the risks and impacts as soon as possible,
    • Become a stakeholder in the implementation of data governance to guarantee effective data acculturation in the enterprise.

GDRP: What is trending in 2019?

GDRP: What is trending in 2019?

The Big Data market has greatly evolved since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, from which new partnerships were formed, new technologies were developed, and start-ups started taking off. 

Nevertheless, this is just the beginning! In 2019 so far, enterprises continue to adapt their data management. This article will delve into GDPR trends and predictions of 2019

The 2018 GDPR report

The regulation was certainly the subject of the year! GDPR profoundly changed the way in which enterprises treated data, including enterprises of the CAC 40 (the French stock market index) as well as SMEs. Overall, we can see that the enterprises began making several changes to adjust to GDPR:

Data breach violations

It is now required to declare any personal data violations that may cause risk to individuals within 72 hours to the CNIL. Upon receipt, the CNIL will investigate the alert and may close your file or require you to inform the individuals concerned in accordance with certain criteria.

Visit https://www.cnil.fr/en/rights-and-obligations for more information.

The implementation of Data Protection Governance

Few enterprises had true governance around data protection before GDPR; they were entrusted to the legal department or company data protection agents. But ever since the regulation, as per the latest IAPP-EY annual report, over 50% of enterprises have set up an organization dedicated to data protection. According to the CNIL, they have more than 15,000 Data Protection Officers (DPOs) compared to 5,000 company data protection agents before GDPR.

Updating privacy policies

The majority of enterprises also had to proceed with revising their privacy policies and legal notices. However, they also had to update their supplier or partner contracts with new data protection clauses. The tidal wave of mail in our mailboxes all around May 25th was certainly proof of GDPR’s importance!

 

Raising awareness of the regulations within the enterprise

Finally, maybe you’ve noticed that within your enterprise, raising awareness on data protection between collaborators has become important, whether they are e-learning modules, training courses, or various internal communications. 

 

2019 GDPR predictions and trends

In order to protect themselves from huge fines (up to 4% of revenue or €20 million) enterprises are going to have to continue adapting to GDPR. The data authorities, like the CNIL, were very lenient in 2018 and thus are more strict in 2019. It is also imperative that enterprises acclimatize to regulations, both in Europe and The United States. 

GDPR itself is a 2019 trend; it will soon be considered a global standard. For example, U.S. Senator Ron Wyden of Oregon recently introduced the Consumer Data Privacy Act. Countries like Japan, South Korea, and Tunisia have also adopted regulations similar to GDPR. Mick Levy, Business Innovation Director at Business & Decision said, “Data is an enterprise’s asset, like its human capital or its means of production. We must give ourselves the means to exploit and protect it.” (orange-business.com)

How to implement data governance while adapting to GDPR?

As mentioned above, good data governance is nowadays obligatory in order to properly organize, search, retrieve, and protect data. Zeenea offers you a data catalog that is capable of centralizing your enterprise’s data knowledge in one intuitive platform to help you become a data-driven enterprise and to construct data governance in an agile and lean start-up mode. 

For more information or to request a demo: https://zeenea.com/fr/contact/

    GDPR: An additional burden for the data industry?

    GDPR: An additional burden for the data industry?

    The concern of companies on the challenges of implementing the GDPR is very real. Will we know if we are still capable of doing business starting in May 2018? What will be the technical and, above all, the financial impacts of this compliance?

    The GDPR, a gray area for enterprises

    Let’s face it, there is still the “Y2K-like bug” effect with the arrival of the GDPR…Many enterprises perceive GDPR as an additional burden in the data industry, which is already far from easy. They find themselves in the grey area trying to implement this regulation and to avoid the heavy penalties for non-compliant companies.

    Yes, but…

    The GDPR must be seen as an opportunity to reach a certain maturity in terms of governance and data control. Above all, it means establishing a contract of trust between data subjects and data controllers. Without a doubt, this contract of trust will benefit everyone!

    For instance, individuals are rather reluctant to give their personal information to companies. However, numerous studies show that in the context of a new deal where personal data are delivered for a specific purpose and can be restored or deleted at any time, users are willing to share their personal data. It is, therefore, an opportunity to offer value-added services to customers – a give and take.

    For organizations, the GDPR will bring greater confidence as well as an excellent reputation for processing data, which will result in more commitment.

    Rethink your data management

    The GDPR is also an opportunity to check up on data in enterprises:

    • Clean up the wrong data.
    • Avoid (costly) over-acquisition of data.
    • Establish or improve data governance.
    • Implement best practices around Big Data and Data Science initiatives.

    Thus, this new control and governance of data will result in taking the best insights from these data so that from these, you can make creations of the highest value.

    Holding companies accountable

    What does the legal jargon of GDPR mean in the end, which we have detailed in our series of articles “GDPR – the legal bases”? It is certainly a question of making companies responsible for the data used. Hence, this regulation requires you to ask the right questions:

    • What personal data do I have? Where are they?

    • What are the possible uses for my data?

    • What can I do with my data?

    • Why do I collect them?

    • What result am I trying to achieve?

    Implement technological initiatives

    Thus, the arrival of the GDPR  impacts mainly our legal and organizational areas of business. This regulation will also be the time to implement technological initiatives in our Big Data ecosystems, which will not only help enterprises comply with the regulation but will also have intrinsic value.  In our opinion, the first thing that needs to be done is to map the personal data used and stored within your enterprise. Data Catalog tools can be the beginning of such a response.

    GDPR: Main Content of the European Regulation

    GDPR: Main Content of the European Regulation

    This article is an introduction to the General Data Protection Regulation (GDPR) in the framework of your Big Data projects.

    Be careful though! This isn’t going to be about giving legal advice, but rather,  a refresher course on the changes that GDPR will make.

    The terms of the GDPR to define

    Personal data

    All information relating to a human being (or a data subject) that can be used to identify that person directly or indirectly. With the arrival of the GDPR, this definition was broadened to include online data. I.e., name, photos, email addresses, bank details, social networking publications, websites, medical information, IP addresses, location data, etc.

    Sensitive data

    It is personal data that directly or indirectly reveal political opinions, philosophical or religious or trade union memberships of persons, or that which is related to their health or their sexual orientation. They may only be processed with the explicit consent of individuals.

    Data processing

    This broad term refers to any operations carried out on personal data, via automated or non-automated means.  Some examples of processing include collection, recording, organization, storage, use and destruction of personal data.

    Data controller

    A data controller is a person who determines– alone or jointly with others – the purposes and the means of data processing (the collecting and processing methods).

    The principles emerging from the GDPR

    Whom does it concern?

    • All companies located in the European Union and processing personal data, regardless of its size.
    • All companies not located in the E.U. concerning the process of personal data relating to persons located in the European Union.

    The obligation to appoint a DPO

    The GDPR created a position of Data Protection Officer (DPO). Their responsibilities include:

    • Monitor the company’s compliance with regulations
    • Be the point of contact with the Supervisory Authorities as well as those who have questions on personal data processing
    • Advise and inform the company, its employees, and any possible processors.

    The responsibility

    Companies must ensure that they comply with GDPR’s obligations and be able to demonstrate compliance with its principles.

    Valid consent

    The controller must be able to demonstrate that the data subject has given his or her consent.

    Notification of violations

    In the case of a violation, the company is obligated to inform its Supervisory Authority within 72 hours after its discovery.

    Privacy protection from the design stage

    The controller must implement any data protection measures (pseudonymization, minimization, etc.) from the design stage; i.e., identify the means of processing.

    The opposition to profiling

    Any person may object to the automatic processing of their personal data in order to evaluate certain personal aspects relating to a physical person (analysis, prediction, etc).

    Data portability

    Any person concerned by the processing of their data can obtain from the controller a copy of their processed personal data and, where applicable,  the transfer of these data to a third party.

    Sanctions

    Violation of basic principles including the conditions of consent or the rights of the persons concerned will be subject to a sanction of up to 20 million or 4% of annual worldwide turnover.

    GDRP: What is trending in 2019?

    GDPR: 8 new rights guaranteed to European residents

     In December 2018, Matthieu Blanc – Ex – VP Product for Zeenea – asked himself: “How will the GDPR change the Big Data world?” In this series of articles, we focus on the legal aspects explained during his conference at XebiCon’17.

    One of the main objectives of the GDPR is to strengthen the rights of individuals

    European residents have 8 new rights:

     

    1) Right to be informed (Art. 13 & 14)

    When data is collected from a physical person, several pieces of information must be communicated to them. These include the purpose of the treatment or the rights the enterprise has relative to them. It is important that privacy and data protection policies are easily accessible and updated. A link to the privacy policy must be provided whenever data is collected from registration forms online for example.

     

    2) Right of access (Art. 15)

    Exercising your right of access allows you to check the accuracy of your data and, if necessary, have it corrected or erased. For example, you can request your information to the person in charge of your file, and they are obligated to give you all of the information they have on you.

     

    3) Right of rectification (Art. 16)

    The right of rectification completes the right of access. A person may request that their inaccurate data are rectified, or incomplete to be completed. It prevents an organization from processing or spreading false information about you.

     

    4) Right to data portability (Art. 20)

    This is a new right. The right to portability gives people the ability to retrieve some of their data in an open, readable format. They can store or transmit them easily from one information system to another, for reuse for their personal purposes. This may be the case with telecom operators for example.

     

    5) Right to object (Art. 21)

    Anyone has the opportunity to object, for legitimate reasons, to a file. They may also refuse, without having to justify themselves, that their data be used for commercial prospecting purposes.

     

    6) Right to erasure – Right to be forgotten (Art. 17)

    A person has the right to demand, as soon as possible, the deletion of their data, when:

    • the person has withdrawn consent to the treatment,

    • the person objects to the treatment,

    • their data are no longer necessary for the purposes of the treatment,

    • their data has been subject to unlawful processing,

    • their data must be erased under legal obligation, except in certain cases.

    If the person responsible makes their data public, he or she will have to inform the other data regulators who process it that the data must be erased and not reproduced.

     

    7) Right to restriction of processing (Art. 18)

    A person has the right to obtain the limitation of processing when they have objected to it, when they dispute the accuracy of the data, when their treatment is unlawful, or when they need it for finding, exercising or defending their rights in court.

     

    8) Automated individual decision-making, including profiling (Art. 22)

    A person has the right not to be the subject of a decision based exclusively on automated processing, including profiling, producing legal effects concerning or affecting them, except where that decision is necessary for the conclusion or performance of a contract, is lawfully authorized, or is based on their consent.

    GDPR : 7 principles to follow when treating personal data

    GDPR : 7 principles to follow when treating personal data

    In December 2018, Matthieu Blanc – Ex – VP Product for Zeenea – asked himself: “How will the GDPR change the Big Data world?” In this series of articles, we focus on the legal aspects explained during his conference at XebiCon’17.

     

    Personal data treatment must obey these 7 principles:

     

    1) The principal of lawfulness, loyalty and transparency

    The law imposes that data must be collected and treated in a loyal and lawful manner, implicitly dictating to the person in charge of the treatment that they must be transparent to the person concerned.

    Let’s go a bit deeper:

     

    • The law guarantees to the people that submit their data the necessary information relative to the treatments concerning them.
    • It assures the possibility of personal control.
    • The person in charge of personal data is obligated to warn the people concerned as soon as the data is collected and when the data is transmitted to third parties.

    2) The principal of purpose

    All personal data that is collected and treated must be for legitimate purposes, corresponding to the person in charge or the enterprise’s missions. The misuse of these data is punishable by criminal law. 

    3) The principal of proportion

    The regulation demands that data must be collected for specific treatment and must be clearly defined.

    For example : in the case of a marketing operation where the last name, first name and email address are sufficient for the intended treatment, the collection of street address, family situation, financial situation, etc., will be judged out of proportion thus, punishable by law.

     

    4) The principle of relevant data

    In other words, enterprises must ensure that the data is exact and up to date if necessary.

     

    5) The principle of limited access and conservation of data

    This information cannot be kept for an unlimited period of time in the enterprise’s information systems. A time limit must be established for each file. When that limit has passed, the data must be deleted or kept anonymous.

     

    6) The principal of security and confidentiality

    The regulation reinforces security measures. Enterprises are responsable for the data they treat’s security and must implement the adequate measures to guarantee it (pseudonymization of data, impact analysis, intrusion tests, etc.).

    This means that the person responsable for their treatment is constrained to these security measures. They must implement these to: 

    • Guarantee their data’s confidentiality and avoid their disclosure. In other words, the person in charge must assure that any third parties that do not have authorization to their data can’t have access.
    • Prevent data from being distorted or damaged.
    • Etc.

    This responsibility is put forward by a new principle “Privacy By Design”. This principle refers to the process of taking all the necessary steps to protect the rights of the people (ie from the design of a product or service) and throughout the data’s lifecycle (from collection to deletion).

    Security measures, both physical and logical, must be taken.

    For example: fire protection, backup copies, the installation of anti-virus softwares, frequent change of passwords, etc.). Security measures should be appropriate to the nature of the data and the risks presented by the treatment.

     

    7) The principal of responsibility

    One of the most major changes is the principle of responsibility. This principle obligates enterprises to document all measures and procedures in terms of personal data security.

    This documentation serves as proof of conformity to the new rules and regulations if ever an enterprise were to have administrative checks. This measure results in the obligation to maintain a register of treatments. Indeed, this register makes it possible to constitute a database for the treatments, but could also serve to centralize and to follow all the steps of conformity implemented by the company.
    The abolition of the obligation of  declaration prior to the CNIL. This measure reflects the principle that governs the GDPR: empowering businesses by developing self-control.

    It is no longer up to regulators to prove that you are in the wrong, but it is up to you to prove that you are in the right!

    GDPR: What are enterprises main concerns?

    GDPR: What are enterprises main concerns?

    In December 2018, we posed the question: Will the GDPR change the Big Data world? In this article series, we return to the legal aspects explained during la conférence de la XebiCon’17.

    The application scope of the GDPR

    If the GDPR applies to “Data Controllers,” i.e. the bodies that determine the purposes and methods of processing personal data, it also extends to the “Data Processor” as well.

    The rules and obligations of the GDPR apply to the processing – automated or not – of personal data.

     

    Definitions of GDPR terms

    First of all, let us agree on the definition of these terms:

     

    Personal data

    The GDPR provides a precise definition of personal data. It is:

    “Any information relating to an identified or identifiable natural person.”

    An identifiable natural person is understood to be “a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, a postal address, an e-mail, or several elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity”.

    A definition that has therefore been broadened to include certain online data such as location data, online identifiers, identification numbers (device identifiers, cookies, IP addresses, etc.).

     

    Data processing

    This broad term refers to any operation carried out on personal data, whether or not by automated means. Examples of processing include the collection, recording, organization, storage, use, and destruction of personal data, which means that the vast majority of European companies are affected by the GDPR’s systems.

    Ultimately, the vast majority of European companies are affected by the GDPR’s measures.