Scenario after GDPR compliance measures
What’s next after the main GDPR compliance procedures? What actions can be carried out in the medium and long term? Should we wait for the laws for specific cases or scenarios?
Here we will see some expert recommendations.
On May 25, 2018, once the main provisions to comply with the new GDPR regulation have been implemented, any new action must be fulfilled from the design stage and duly protected. However, much remains to be done. When the main leaders have been treated as a priority, we must continue to advance in the projects presented in the roadmap to avoid the risk of being exposed to sanctions and fines. In fact, the regulation considers that the job of DPO (data protection officer) is permanent. It is part of the continuous improvement process. Therefore, it is a question of continuing to apply the best procedures. They can be real IT projects or programs to participate in traditional delays of 6 to 18 months that have been observed by many experts.
Faced with the risks of collective actions
No one knows exactly what actions and what control will be exercised. On the other hand, it must be understood that organizations are exposed to collective actions by users, clients or consumers, although the risk of being an offender is always real.
Among the medium and long-term works, reference can be made to the right of access (with rectification, opposition and deletion); as well as the right to portability that will allow interested parties to recover a file that can be transmitted electronically to a third party, generally in the event of a change of provider.
The information / communication component can also be an important program. In particular, it is vital to be transparent about the purpose of the actions. For example, if I give my personal data for a specific service; it is not about using them for another purpose.
Therefore, it is important to ensure that the data collection modalities are fair, legal and transparent. If applicable, for back-office processing in “near-shore” or “off-shore” (for example, consultation or troubleshooting centers in Southeast Asia), it should be reported that the data is likely to be displayed outside the EU.
Business opportunities and review of your digital strategy
Respecting the new regulation can open up real business opportunities:
“If you are positive, this overlapping regulatory constraints can become a gold mine.”
By putting themselves in order, companies will be able to communicate their competitive strengths to their customers. They can, for example, declare that they do not monetize the use of personal data or that they do so in their interest when obtaining their membership. For example, the choice of the point of sale or the contact points that have chosen the service.
This approach encourages the creation or at least rethinking of your digital strategy. It leads to the restructuring of the processing of databases, including private data. For example, show that
Not only do I respect the regulation in the eyes of my users or clients, but I propose, being transparent, to take advantage of them to improve the service.
Responsibility principle
This transparent approach is more appropriate for all major groups. The principle of responsibility between the subcontractors and the collector and the owner of the data (and never “owner” because the data remains the property of the people). The data collector is responsible for the correct application of the rules by its subcontractors.
Advancement in the legal and IT field
You have to be pragmatic. You must intervene in the legal, technical and other aspects of the data. There are tools, such as the DPPS (Data Protection Impact Assessment) that not only allows you to facilitate various tasks but also codes of conduct and good practice guides such as the ICO (United Kingdom).
Mapping personal data, in files or applications, can involve hundreds of actions. Therefore, it is recommended to design a prioritization plan based on the nature and sensitivity of the data.
The implementation of security and traceability procedures is also, in itself, a process of continuous improvement.
Therefore, you are welcome to conduct company compliance diagnostics or audits. You can then act on an ad hoc basis based on the impact assessment. In some respects, it may be wise to turn to some support.
The limits of encryption
Upstream encryption is recommended, especially for payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organizations. It can be time-consuming and cumbersome for high-volume, low-information historical databases (such as newsletter recipient files). It is not consistently recommended as this may be disproportionate in some contexts.
Minimization, anonymization and pseudonymization
The application of the principle of minimization allows to expose less data by collecting only the data that is really useful and necessary in the context of the stated purpose.
We should not focus on technical mapping, but on identification, the right to identity in a limited space, and qualification. “Can we keep this data? Yes, if we can’t do otherwise.”
Anonymization, which is irreversible, is a good approach under the law, if it is necessary to enclose strong confidentiality, while pseudonymisation (allowing backtracking) remains debatable, even if it is legally valid. But again, the processes are tedious and expensive if done afterwards.
Right to information and deletion
The right to information, which is also the right to question, must also remain a concern, “in a proactive dynamic way.”
The obligation to delete or purge raises the question of how long the data should be kept, which depends on its nature and on the contractual commitments or general conditions. So there is an impact on the action. This chapter also raises questions about the duty of memory, the right to history, but it also refers to freedom of the press, which aims to preserve the memory of events.
Long-term, jurisprudence and readjustments …
On the balance sheet, GDPR compliance is an ongoing process. The GDPR regulation is an inflation of articles, twenty more, compared to the 1978 law, that is, 99 articles, which are introduced by 173 ‘recitals’ with the greatest number of possible interpretations. However, nothing is clear enough, but litigation cases will focus on certain points.
Finally, we observe that what is at stake is global and frontal. The legal principle is the most important part of GDPR, however, it is not a question of freedom but of dignity and respect for the dignity of people.