Companies and public authorities are facing a huge opportunity to better understand their customers and users and to prove that they can be trusted with their personal data.
Many principles serve as levers to erect the new Data Protection system: a harmonised framework in the EU countries, be they 28 or 27 member states, and an application beyond EU borders for "sufficiently" protected processing, explicit consent and the right to objection, the right to oblivion, notifications in case of leakage, privacy by design, appointment of a DPO, heavy fines... the challenge is a colossal one.
The foundations of this data protection, which will be based on data security and respect for confidentiality, will be guaranteed by a new pair of special delegates inside any organisation: the CDO and the DPO.
How can you approach such a project?
The first, the Chief Data Officer (CDO), will have to ensure that the data pipeline leads to the world of Big Data. The stream of data is inexhaustible, of that you can be almost certain due to the explosion in the volume of data produced by machines, connected objects, and human imagination and behaviour. The CDO will negotiate, exchange, identify new sources and exploit this data for analytical purposes and decisions. His job is to explore at the service of the corporate strategy.
The second, the Data Protection Officer (DPO), aims to ensure compliance. He guarantees the adequate implementation of laws and regulations regarding the protection of personal data: he ensures that all safety requirements are met to supply the data pipeline. His job is akin to that of the geologist, you could call him an "egologist", an expert of the self... according to the law.
Boosting the DPO
This makes it necessary to start constructing that drilling rig for personal data. All organisations with more than 250 employees will have to maintain a data protection registry and appoint a corresponding Data Protection Officer. It should also be noted that subsidiaries (even with fewer than 250 employees) of larger companies will have to report their practices in this area to their parent company.
The first task is therefore to appoint the Data Privacy architect. The DPO will determine the scope of personal data that the company holds and its processing thereof. He is often an expert in business compliance and not necessarily in information security or the digital value chain. He will have to locate name-based data containers, IDs, IP addresses, cookies, geolocation data... belonging to an "identified or identifiable natural person" and other elements as detailed in Article 4, §1 of the Regulation (EU) 2016/679. The DPO also has to know about the uses of the data, which the European legislator sees as being the processing, i.e. the operation or chained operations performed with or on it, in an automated or other manner, to enable - and this is an exhaustive list - "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" of personal data. In short, this includes absolutely all flows and operations involving personal data.
Next, the DPO will need to mirror the specific impact on the company's business. He will ensure that his action puts the company out of harm's way, excluding any penalties for wilful violation or neglect, which can amount to up to 4% of worldwide turnover or 20 million euros - the highest of the two figures being applicable. He will consolidate the retention rules, sectoral or industrial specificities and regulations (for example, in the specific context of the sectors of finance, health, trade, ...), the contractors and subcontractors, the already established procedures in terms of consent, the communication on the purpose of data collection, the measures and mechanisms used to address security risks, etc. He will have to conduct a full impact assessment.
Finally, the DPO will also assist his company in adopting an enthusiastic and optimistic vision of the proper use of personal data, ensuring that both the legal security of the organisation is guaranteed and that the new trusted pipeline between consumers and other users of the business will be an essential feature supplying energy to his company.
It is a tremendous opportunity and thus also a challenge
"Every action counts," says Yves Reding in the white paper"Data Protection" published this summer by EBRC, which is available on request. In the context of its own mission, which is to contribute to the creation of a trusted framework at the heart of the European digital economy, EBRC fully defends these values that should allow Luxembourg to become the engine of this virtuous circle.
Inerview of Raphaël Henry by Alexandre Keilmann
Published in Beast, Autumn 2016