GDPR: After May 25, what actions in the medium and long term?

Scenario after the RGPD compliance measures

What happens after the main RGPD compliance procedures? What actions can be taken in the medium and long term? Do we have to wait for laws for specific cases or scenarios?

Here, we’ll look at some expert recommendations.

On 25 May 2018, once the main provisions have been implemented to comply with the new RGPD regulations, any new action must be complied with from the design phase and adequately protected. However, much remains to be done. When the main indicators have been treated as priorities, we must continue to make progress on the projects presented in the roadmap to avoid the risk of being exposed to sanctions and fines. The regulation considers that the work of the DPO (responsible for data protection) is permanent. It is part of the process of continuous improvement. Therefore, it is a matter of continuing to implement the best procedures. They can be real IT projects or programs to lag behind in traditional delays of 6 to 18 months, which have been observed by many experts.

Faced with the risks of collective action

No one knows exactly what actions and what control will be exercised. On the other hand, it should be understood that organizations are exposed to collective action by users, customers or consumers, although the risk of being infringing is always real.

Among the jobs in the medium and long term, reference can be made to the right of access (with rectification, opposition and abolition); as well as the right to portability that will allow stakeholders to retrieve an electronically transferable file to a third party, usually in the event of a change of provider.

The information / communication component can also be an important program. In particular, it is vital to be transparent about the purpose of the actions. For example, if I give my personal data for a specific service; there is no doubt about using them for another purpose.

Therefore, it is important to ensure that the methods of data collection must be fair, lawful and transparent. Where applicable, for back-office processing “near the coast” or “offshore” (e.g., consultation or problem-solving centers in Southeast Asia), it should be reported that it is the data are likely to be exposed outside the EU.

Business opportunities and review of your digital strategy

Respect for the new regulation can open up real business opportunities:

“If one is positive, this overlap of regulatory constraints can turn into a gold mine.”

By putting themselves in order, companies will be able to communicate their competitive strengths to their customers. They may, for example, declare that they do not monetize the use of personal data or do so in their own interest by obtaining their consent. For example, the choice of point of sale or contact points that have chosen the service.

This approach favors creating or at least reconsidering your digital strategy. It leads to the restructuring of database processing, including private data. For example, it proves it

Not only do I respect the regulations in the eyes of my users or customers, but I propose that, being transparent, they use them to improve the service.

Principle of responsibility

This transparent approach is best suited for all major groups. The principle of responsibility between the subcontractors and the collector and owner of the data (and never “owner” because the data remains the property of the people). The data collector is responsible for the correct application of the rules by its subcontractors.

Advancement in legal and computer matters

You have to be pragmatic. You must intervene in the legal, technical and other aspects of the data. There are tools, such as the DPPS (Data Protection Impact Assessment), that not only allow you to facilitate various tasks, but also codes of conduct and guides to good practice such as the ICO (UK).

Mapping personal data, in files or applications, can lead to hundreds of actions. Therefore, it is recommended to design a prioritization plan based on the nature and sensitivity of the data.

The implementation of security and traceability procedures is also, in itself, a process of continuous improvement.

Therefore, company compliance diagnostics or audits are welcome. You can then act specifically based on the impact assessment. In some respects, it may be appropriate to resort to some support.

The limits of encryption

It is recommended to encrypt upstream, especially in the case of payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organizations. It can take a long time and can be heavy for large-volume historical databases and little information (such as the recipients of a newsletter). It is not systematically recommended, as it may be disproportionate in some contexts.

Minimization, anonymization and pseudonymization

The application of the minimization principle allows to expose less data collecting only the really useful and necessary data in the context of the indicated purpose.

We should not focus on technical mapping, but on identification, the right to identity in a limited space, and qualification. “Can we keep this data? Yes, if we can’t do something else.”

Anonymization, which is irreversible, is a good approach by law, if strong confidentiality needs to be blocked, while pseudonymization (which allows for going backwards) remains debatable, even if it is legally valid. But again, the processes are tedious and costly if done later.

Right to information and deletion

The right to information, which is also the right to be questioned, must remain a concern, “in a dynamic and proactive way.”

The obligation to remove or purge raises the question of how long the data should be retained, which depends on its nature and the contractual commitments or general conditions. Therefore, there is an impact on the action. This chapter also raises questions about the duty of memory, the right to history, but it also refers to freedom of the press, which aims to preserve the memory of events.

In the long run, jurisprudence and readjustments …

On the balance sheet, compliance with the RGPD is an ongoing process. The regulation of the RGPD is an inflation of articles, twenty more, compared to the 1978 law, that is, 99 articles, which are introduced by 173 “recitals” with as many interpretations as possible. Still, nothing is clear enough, but court cases will focus on certain points.

Finally, we note that the bets are global and frontal. The legal principle is the most important part of the RGPD, but it is not about freedom, but about dignity and respect for the dignity of people.