New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

GDPR – Season 2

May 27, 2019

GDPR – Season 2

[et_pb_section fb_built= »1″ _builder_version= »3.23.3″][et_pb_row _builder_version= »3.23.3″][et_pb_column type= »4_4″ _builder_version= »3.23.3″][et_pb_text _builder_version= »3.23.3″]

THE General Data Protection Regulation celebrates the first anniversary of its implementation May 25, 2018.

What lessons can be learned from this first year? Intrinsec answers you based on its experience supporting companies in their compliance efforts.

 

A first phase of transition

The requirements of the GDPR pose numerous challenges to businesses First among these are the need to develop the necessary skills and to align practices with data protection requirements.

The construction sites of compliance have often been initiated by the legal departments of companies, mobilizing resources to initiate or complete registers, train employees and the DPO, integrate the concepts of data protection by default and by design, regulate subcontracting and data transfers…

Reminder of the processes to be implemented: 

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version="3.23.3"][et_pb_column type="4_4" _builder_version="3.23.3"][et_pb_image src="https://www.intrinsec.com/wp-content/uploads/2019/05/RGPD.png" align="center" _builder_version="3.23.3" width="90%" custom_padding="0px|||||"][/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row _builder_version="3.23.3"][et_pb_column type="4_4" _builder_version="3.23.3"][et_pb_text _builder_version="3.23.3"]

It became necessary to evolve the information system and to equip ourselves with tools for collecting consent, exercising access and erasure rights, anonymization, encryption, securing applications, detecting data breaches, etc.

For many companies, the compliance process is still ongoing. Especially since needs evolve with the recommendations from the CNIL and case law. Indeed, the regulation is only in its early stages in terms of application.

 

Real opportunities

While the GDPR is often seen as an additional constraint, the opportunities are very real. The GDPR compliance process is a unique opportunity for companies to streamline their data management, a reflex that is still far from being systematic in organizations.

The steps presupposed by the GDPR, such as having a data map, having... clearly defined processes and responsibilities effectively revert to implementing a effective data governance.

Clean up your commercial base Achieving compliance allows a company to refocus on its most promising prospects by adopting a more qualitative than quantitative approach. Furthermore, privacy-respecting practices enhance the organization's image with its clients and partners. For example, Cdiscount highlighted that it was the first e-commerce company to receive the CNIL's GDPR "Governance Procedure" label. Ultimately, this approach can become... a real economic and competitive advantage.

 

A better consideration of security

Many measures within a security policy contribute to data protection. For example, Surface encryption of workstations and control of removable media These measures help prevent data leaks. They are therefore valued in the context of compliance.

The GDPR's prerequisites for protective measures reinforce "by extension"« the voice of the internal CISOs, which are facing a more favorable environment thanks to more aware users. According to an IFOP survey, 70% of French people say they are now more sensitive to the issue of personal data protection. Data protection and IT security requirements are spreading even to SMEs. We clearly observe that many companies are undertaking security projects and gaining maturity through our GDPR support missions.

 

What security measures should be put in place?

The GDPR does not list a catalog of security measures to be implemented, even though it mentions pseudonymization and encryption. It commits data controllers and processors to implement appropriate technical and organizational measures. This is about’adapt the level of security to the risk, not for the organization, but for the people involved.

The risk must be assessed through an impact analysis involving the DPO, business units and the CISO to identify the measures in place and those to be considered. Intrinsec consultants support their clients in their GDPR and ISO 27001 compliance projects., by implementing security policies and measures adapted to their context and addressing data protection challenges (Discover our offers Compliance).

Encryption comes in various forms, including stream encryption (TLS), database encryption, backup encryption, file encryption, and storage media encryption. It can be complex to implement and doesn't address all security challenges. Indeed, "transparent" data encryption relies heavily on access control for security.

Rigorous management of access rights remains essential To ensure that only authorized personnel have access to personal data, it is essential to verify that authentication methods are reliable, that the password policy complies with CNIL recommendations and is understood by users, and that user profiles are appropriate for the mission's needs. Furthermore, processes for managing access, granting, and reviewing authorizations must be in place. It was primarily due to a lack of access management that the public hospital in Barreiro, Portugal, was sanctioned.

 

Controls and sanctions: what should we expect?

The authorities had taken a strong stance with the decision to raise the maximum amount of a penalty for non-compliance to 4% of global revenue total for the previous fiscal year or 20 million euros. What has actually happened so far?

The bulk of the fines issued by the CNIL in the first year of the GDPR's implementation consists of the fine imposed on Google; the other sanctions predate the GDPR. This €50 million fine against Google represents almost all of the fines issued at the European level to date.

In the absence so far of a significant example involving a European private company, it is sometimes difficult for those in charge of compliance projects and the DPO to make their voices heard internally, particularly with senior management.

However, it must be emphasized that The CNIL unveiled its strategy for 2019 at the end of April.. While maintaining a supportive approach, the CNIL explains that "in terms of control and enforcement policy, 2019 marks the completion of the transition phase between the old and new legislation" and that henceforth it "’ will fully verify compliance with the new obligations and rights arising from the European framework ».

The ideal solution for companies is to anticipate the audit by implementing control measures.. It is therefore necessary to have the skills and tools to assess the security level of your information system from the perspective of an attacker, in order to correct vulnerabilities before they are exploited to steal personal data (Discover our offers Assessment).

Having effective response measures in place allows for the swift implementation of all necessary steps to mitigate the impact on those affected in the event of a violation. :

  • Detecting incidents and security vulnerabilities through monitoring and analysis of a SOC.
  • Identify data leaks that may be circulating across different layers of the Web thanks to the Cyber Threat Intelligence.
  • Managing incidents and crisis situations, by conducting investigations and immediately taking the appropriate remediation actions (the CERT Intrinsec is ready to mobilize for you!.

 

Conclusion

The GDPR compliance process has generated momentum, established governance, and launched priority projects. As part of a continuous improvement approach, it is essential to evolve this approach. The focus must now be on fully integrating GDPR compliance within the organization and its information system.

Even more than the initial stage, this implies a strong change in culture and processes for business stakeholders and technical teams, and the acquisition of GDPR reflexes in all new projects and developments.

Intrinsec, a long-standing player in security and compliance since 1995, provides ongoing support to its clients through its offers Part-time DPO/CISO And Technical assistance, making them benefit from its expertise both in terms of governance and in the concrete implementation of the protection system.

 

 

 

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built= »1″ _builder_version= »3.22.4″ use_background_color_gradient= »on » background_color_gradient_start= »#c9202b » background_color_gradient_end= »rgba(204,42,45,0.56) »][et_pb_row _builder_version= »3.22.4″][et_pb_column type= »3_4″ _builder_version= »3.22.4″][et_pb_text _builder_version= »3.22.4″ text_font= »Nunito Without|||||||| » text_text_color= »#ffffff » text_font_size= »24px » text_line_height= »1.4em » header_font= »|||||||| » custom_margin= »-11px|||31px » custom_padding= »13px|| »]

Would you like to learn more about this topic? Define a project that aligns with your needs? 

[/et_pb_text][/et_pb_column][et_pb_column type= »1_4″ _builder_version= »3.22.4″][et_pb_button button_url= »https://www.intrinsec.com/contact » url_new_window= »on » button_text= »Contactez-nous » button_alignment= »left » _builder_version= »3.22.4″ custom_button= »on » button_text_size= »18px » button_text_color= »#e02b20″ button_bg_color= »#ffffff » button_border_color= »#ffffff » button_font= »Nunito Sans|700||||||| » button_icon= »%%86%% » button_icon_color= »#ffffff » button_icon_placement= »left » custom_margin= »21px|-30px||17px »][/et_pb_button][/et_pb_column][/et_pb_row][/et_pb_section]

Contact