GDPR: After 25th May, What Medium and Long Term Actions?
Scenario After the GDPR Compliance Measures
What is next after the main GDPR compliance procedures? What actions can be taken in the medium and long term? Should we wait for the laws for specific cases or scenarios?
Here, we will see some recommendation from experts.
On May 25th, 2018, once the main provisions have been implemented to comply with the new GDPR regulation, any new action must be compliant from the design stage and properly protected. However, there will still be a lot to do. When the main pointers have been treated as a priority, we must continue to advance on the projects presented in the road map to avoid the risk of being exposed to sanctions and fines. The regulation does indeed consider that the job of DPO (data protection officer) is permanent. It is a part of the continuous improvement process. It is therefore a question of continuing the implementation of the best procedures. It can be real IT projects or programs to engage on traditional delays of 6 to 18 months which has been observed by many experts.
In the Face of the Risks of Collective Actions
Nobody knows exactly what actions and what control will be exercised. On the other hand, it must be understood that organisations are exposed to class actions by users, customers or consumers although the risk of being a violator is always real.
Among the medium and long-term worksites, reference may be made of the right of access (with rectification, opposition and deletion); as well as the right to portability that will allow interested parties to retrieve an electronically transmittable file to a third party, typically in case of change of provider.
The information / communication component can also be an important program. In particular, it is vital to be transparent about the purpose of the actions. For example, if I give my personal details for specific service; there is no question of using them for another purpose.
Therefore it is important to ensure that the modalities of data collection must be fair, lawful and transparent. If applicable, for back-office processing in “near-shore” or “off-shore”, (e.g. consultation or troubleshooting centres in South-East Asia), it must be informed that the data is likely to be exhibited outside the EU.
Business Opportunities and Revision of its Digital Strategy
The respect of the new regulation can open real commercial opportunities:
“If one is positive, this overlay of regulatory constraints can turn into a gold mine”.
By putting themselves in order, companies will be able to communicate its competitive strengths to their customers. They may, for e.g. declare that they do not monetise the use of personal data or do so in their interest by obtaining their adhesion. For instance, the choice of point of sale or the points of contacts who have chosen the service.
Such an approach encourages creating or at least reconsidering its digital strategy. It leads to restructuring the processing of databases, including private data. For an instance, it shows that
Not only do I respect the regulation in the eyes of my users or customers, but I propose to them, by being transparent, to take advantage of them to improve the service
Principle of Responsibility
This transparent approach is more appropriate for all the major groups. The principle of responsibility between subcontractors and the collector and data holder (and never “owner” because the data remains the property of the people). The data collector becomes responsible for the correct application of the rules by his subcontractors.
Advance on the Legal and Informatics
You have to be pragmatic. You need to intervene on the legal, technical as well as other aspect of the data. There are tools, such as the DPPS (Data Protection Impact Assessment) that not only lets you facilitate various tasks but also codes of conduct and good practice guides such as the ICO (UK).
The mapping of personal data, in files or application, can involve a hundreds of actions. It is therefore recommended to design a prioritisation plan based on the nature and sensitivity of the data.
The implementation of safety and traceability procedures is also, in itself, a process of continuous improvement.
It is thus welcome to carry out diagnostics or compliance audits of the company. You can then act on an adhoc depending on the basis of on the impact assessment. On some aspects, it may be appropriate to resort to some support.
The Limits of Encryption
Encryption is recommended upstream, especially in the case of payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organisations. It can take a long time, and may be heavy for historical bases of great volumetry and little information (like recipient files of a newsletter). It is not recommended systematically as this may be disproportionate in some contexts.
Minimization, Anonymisation and Pseudonymisation
Applying the minimisation principle makes it possible to expose less data by collecting only the data that are really useful and necessary in the context of the stated purpose.
We must not focus on technical mapping, but on identification, the right to identity in a limited space, and qualification. “Can we hold these data? Yes, if we cannot do otherwise”.
Anonymisation, which is irreversible, is a good approach under the law, if it is necessary to lock in a strong confidentiality, while the pseudonymisation (which allows going back) remains debatable, even if it is legally valid. But again, the processes are tedious and expensive if they are done afterwards.
Right to Information and Erasure
The right to information, which is also the right to question, must also, remain a concern, “in a proactive dynamic manner”.
The obligation to delete or purge raises the question of how long data should be kept, which depends on their nature and on contractual commitments or general conditions. So there is an impact on the action. This chapter also raises questions about the duty of memory, the right to history, but also refers to the freedom of the press, which aims to preserve the memory of the facts.
In the Long Term, Jurisprudence and Readjustments…
In the balance sheet, the compliance with the GDPR is a continuous process. The GDPR regulation, it is an inflation of articles, twenty more, compared to the law of 1978, that is to say 99 articles, which are introduced by 173 ‘recitals’ with as many possible interpretations. Though, nothing is clear enough, but the litigation cases will focus on certain points.
Finally, we note that the stakes are global and frontal. The legal principle is the most important part of GDPR, however, it is not a question of freedom but of dignity, and the respect for the dignity of the people.