{"id":219532,"date":"2019-05-27T15:34:49","date_gmt":"2019-05-27T13:34:49","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=219532"},"modified":"2019-05-27T15:34:49","modified_gmt":"2019-05-27T13:34:49","slug":"rgpd-saison-2","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/rgpd-saison-2\/","title":{"rendered":"GDPR \u2013 Season 2"},"content":{"rendered":"

[et_pb_section fb_built= \u00bb1\u2033 _builder_version= \u00bb3.23.3\u2033][et_pb_row _builder_version= \u00bb3.23.3\u2033][et_pb_column type= \u00bb4_4\u2033 _builder_version= \u00bb3.23.3\u2033][et_pb_text _builder_version= \u00bb3.23.3\u2033]<\/p>\n

THE General Data Protection Regulation<\/strong> celebrates the first anniversary of its implementation May 25, 2018<\/strong>.<\/p>\n

What lessons can be learned from this first year? Intrinsec answers you based on its experience supporting companies in their compliance efforts.<\/p>\n

 <\/p>\n

A first phase of transition<\/strong><\/h3>\n

The requirements of the GDPR pose numerous challenges to businesses<\/strong> First among these are the need to develop the necessary skills and to align practices with data protection requirements.<\/p>\n

The construction sites of compliance<\/strong> have often been initiated by the legal departments of companies, mobilizing resources to initiate or complete registers, train employees and the DPO, integrate the concepts of data protection by default and by design, regulate subcontracting and data transfers\u2026<\/p>\n

Reminder of the processes to be implemented:\u00a0<\/strong><\/em><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version="3.23.3"][et_pb_column type="4_4" _builder_version="3.23.3"][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2019\/05\/RGPD.png" align="center" _builder_version="3.23.3" width="90%" custom_padding="0px|||||"][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version="3.23.3"][et_pb_column type="4_4" _builder_version="3.23.3"][et_pb_text _builder_version="3.23.3"]<\/p>\n

It became necessary to evolve the information system and to equip ourselves with tools for collecting consent, exercising access and erasure rights, anonymization, encryption, securing applications, detecting data breaches, etc.<\/p>\n

For many companies, the compliance process is still ongoing. Especially since needs evolve with the recommendations from the CNIL<\/strong> and case law. Indeed, the regulation is only in its early stages in terms of application.<\/p>\n

 <\/p>\n

Real opportunities<\/strong><\/h3>\n

While the GDPR is often seen as an additional constraint, the opportunities are very real. The GDPR compliance process is a unique opportunity for companies to streamline their data management<\/strong>, a reflex that is still far from being systematic in organizations.<\/p>\n

The steps presupposed by the GDPR, such as having a data map, having... clearly defined processes and responsibilities<\/strong> effectively revert to implementing a effective data governance<\/strong>.<\/p>\n

Clean up your commercial base<\/strong> Achieving compliance allows a company to refocus on its most promising prospects by adopting a more qualitative than quantitative approach. Furthermore, privacy-respecting practices enhance the organization's image with its clients and partners. For example, Cdiscount highlighted that it was the first e-commerce company to receive the CNIL's GDPR "Governance Procedure" label. Ultimately, this approach can become... a real economic and competitive advantage<\/strong>.<\/p>\n

 <\/p>\n

A better consideration of security<\/strong><\/h3>\n

Many measures within a security policy contribute to data protection. For example, Surface encryption of workstations and control of removable media<\/strong> These measures help prevent data leaks. They are therefore valued in the context of compliance.<\/p>\n

The GDPR's prerequisites for protective measures reinforce "by extension"\u00ab the voice of the internal CISOs<\/strong>, which are facing a more favorable environment thanks to more aware users. According to an IFOP survey, 70% of French people say they are now more sensitive to the issue of personal data protection<\/strong>. Data protection and IT security requirements are spreading even to SMEs. We clearly observe that many companies are undertaking security projects and gaining maturity through our GDPR support missions.<\/p>\n

 <\/p>\n

What security measures should be put in place?<\/strong><\/h3>\n

The GDPR does not list a catalog of security measures to be implemented, even though it mentions pseudonymization and encryption. It commits data controllers and processors to implement appropriate technical and organizational measures<\/strong>. This is about\u2019adapt the level of security to the risk<\/strong>, not for the organization, but for the people involved.<\/p>\n

The risk must be assessed through an impact analysis involving the DPO, business units and the CISO to identify the measures in place and those to be considered. Intrinsec consultants support their clients in their GDPR and ISO 27001 compliance projects.<\/strong>, by implementing security policies and measures adapted to their context and addressing data protection challenges (Discover our offers Compliance<\/a><\/strong>).<\/p>\n

Encryption comes in various forms, including stream encryption (TLS), database encryption, backup encryption, file encryption, and storage media encryption. It can be complex to implement and doesn't address all security challenges. Indeed, "transparent" data encryption relies heavily on access control for security.<\/p>\n

Rigorous management of access rights remains essential<\/strong> To ensure that only authorized personnel have access to personal data, it is essential to verify that authentication methods are reliable, that the password policy complies with CNIL recommendations and is understood by users, and that user profiles are appropriate for the mission's needs. Furthermore, processes for managing access, granting, and reviewing authorizations must be in place. It was primarily due to a lack of access management that the public hospital in Barreiro, Portugal, was sanctioned.<\/p>\n

 <\/p>\n

Controls and sanctions: what should we expect?<\/strong><\/h3>\n

The authorities had taken a strong stance with the decision to raise the maximum amount of a penalty for non-compliance to 4% of global revenue <\/strong>total for the previous fiscal year or 20 million euros<\/strong>. What has actually happened so far?<\/p>\n

The bulk of the fines issued by the CNIL in the first year of the GDPR's implementation consists of the fine imposed on Google; the other sanctions predate the GDPR. This \u20ac50 million fine against Google represents almost all of the fines issued at the European level to date.<\/p>\n

In the absence so far of a significant example involving a European private company, it is sometimes difficult for those in charge of compliance projects and the DPO to make their voices heard internally, particularly with senior management.<\/p>\n

However, it must be emphasized that The CNIL unveiled its strategy for 2019 at the end of April.<\/strong>. While maintaining a supportive approach, the CNIL explains that "in terms of control and enforcement policy, 2019 marks the completion of the transition phase between the old and new legislation" and that henceforth it "\u2019\u00a0will fully verify compliance with the new obligations and rights arising from the European framework<\/strong>\u00a0\u00bb.<\/p>\n

The ideal solution for companies is to anticipate the audit by implementing control measures.<\/strong>. It is therefore necessary to have the skills and tools to assess the security level of your information system from the perspective of an attacker, in order to correct vulnerabilities before they are exploited to steal personal data (Discover our offers Assessment<\/a><\/strong>).<\/p>\n

Having effective response measures in place allows for the swift implementation of all necessary steps to mitigate the impact on those affected in the event of a violation.<\/strong>\u00a0:<\/p>\n