RGPD audit: combining business with pleasure
The RGPD embodies a lot of fantasies: disproportionate new obligations, an organization to be overhauled, prohibitive penalties, etc. But what about you? Would you already be ready to manage the RGPD without knowing it?
A very brief reminder
Without going into too much detail, the General Data Protection Regulation (RGPD) will come into force on May 28.
Its transposition into French law is currently being debated in Parliament, but the major obligations are set in stone.
Personal data is data that characterizes, directly or indirectly, a natural person. Last name, first name, personal or professional e-mail address, physical address, telephone number, etc. It also includes all metadata linked to the use of various online services, or to electronic exchanges.
Aiming to provide a framework for the use of personal data, the RGPD lays down a number of obligations regarding the collection and processing of personal data.
These include, but are not limited to, explicit consent (and proof of consent), data retention periods, and the right to modify/delete/port data.
Other obligations are established for companies, beyond their direct relationship with users and customers:
- the appointment of a Data Protection Officer,
- keeping a processing register,
- co-responsibility for processing with subcontractors
- etc.
Last but not least, the "privacy-by-default " approach to the deployment of new services has become sacrosanct, companies are required to secure data in relation to the risks incurred in terms of people's rights and freedoms, and companies can now organize their own best practices through codes of conduct.
In short, there are many elements that cover both technical and organizational aspects, and that go far beyond the field of cyber-security, reinforcing the apparent complexity induced by this regulation.
Gnothi seauton
No, it's not a swear word, it's ancient Greek. Thales, Pythagoras, Heraclitus and Socrates all attributed the aphorism "Gnothi seauton", which means "Know thyself".
For those who prefer a more modern reference, the Matrix film produced by the Wachowskis popularized "Temet Nosce", the Latin translation of the preceding Greek phrase.
This maxim sums up the way to look at the approach to RGPD compliance: to draw up an action plan, you first need to measure how far you are from the goal. An initial audit allows you to take stock of efforts already in place and ways of doing things.
This audit is essential to prepare the change management to be carried out thereafter: beyond technical measures, the main RGPD impact concerns accountability for data use; and this relates exclusively to the human data controller.
This initial audit is very far from being an end in itself; in fact, the opposite is true. Rather than freezing a situation, it marks the starting line for the race that is RGPD compliance (the distance of which will be more or less long depending on what the audit brings to light).
This audit must not remain an analysis lost among other documents, on an untidy desk. On the contrary, it must be translated into a roadmap, with clearly identified actions, concrete deliverables and a more global vision of how these actions fit together to lead to RGPD compliance.
Using a partner with expertise in the subject under consideration can be a first step towards RGPD compliance: this point of contact and expertise will be able to federate the company's energies around a common challenge and cross-disciplinary skills: legal, IS, marketing, purchasing, etc.
Learning by doing
The initial audit enables us to draw up an initial assessment of what's going on, but above all to build an action plan to develop the organizations, processes and tools in place.
The aim is not to fall victim to new regulations, but to take advantage of new ways of doing things to refine and optimize processes, and new ways of doing things to generate different, differentiating value for end-users.
To achieve this, it is essential to work closely with the company's internal stakeholders: the legal department cannot be the sole guarantor of compliance. This is a cross-functional issue, and deeply dependent on everyone's working methods.
Yes, ways of working will be impacted by these regulations; changes in working methods will be imposed globally on everyone, with a new way of approaching the consumption of personal data.
This includes the relationship with subcontractors, who are more than ever essential stakeholders in this project. With the system of co-responsibility established between the data controller (= the client company) and the processor, it is no longer possible to unbalance the relationship in favor of one or other of the parties.
The relationship with the processor is all the more important as it is often linked to the use of certain key expertise in the processing of personal data: statistical analysis using Big Data, HR processing, marketing campaigns, etc.
Involving the subcontractor in RGPD compliance efforts therefore makes it possible to strengthen the overall security of personal data processing.
By aiming for continuous improvement, through more or less formal points, everyone can become a player in RGPD compliance by taking ownership of the points identified during the audit. We need to create value by uniting people's wills in a common project that is binding on all, and that transforms practices.
What about the finish line?
The first thing to clarify is that there is no such thing as "RGPD Certification". What is planned instead is certification of compliance with codes of conduct, offered not by the CNIL and its European equivalents, but by companies and business associations.
As there is no "official RGPD certification", it is necessary for each company to build its own certification, which will serve as an "internal code" for personal data processing.
This "internal code" must have been considered upstream, on the basis of the initial audit and the business needs reported: it constitutes the internal frame of reference for the use of personal data.
The creation of this code will serve multiple purposes:
- It will guarantee consistency in the use of personal data (data collected, collection methods, consent, requirements for subcontractors, retention periods, etc.);
- It will serve as a reference for working with subcontractors;
- It will serve as a target for checking that the objectives identified during the initial audit have been met.
In fact, this "internal code" needs to be confronted with reality through a second, more formal audit, closer to reality. The scope of this new audit then goes beyond the internal framework, and must involve all the stakeholders initially identified.
Considering the purposes of this "internal code", it must not focus solely on broad general principles, or vague designations: it must frame expectations in a non-equivocal way, particularly with regard to the use of specific techniques to guarantee the confidentiality of personal data (encryption algorithm for example, but also acceptable types of multi-factor authentication, etc.).
The aim is to identify areas for improvement, as it's essential to consider that RGPD compliance won't be achieved overnight.
What's more, it's important to bear in mind that the scope covered by RGPD within the company will be constantly evolving (new processing operations, application additions and deletions, etc.).
In concrete terms, how does the audit work?
The keystone of this system is a critical, objective and benevolent eye that provides you with added value.
You can have this eye in-house - and that's an excellent thing - and it can be embodied by your Correspondant Informatique et Liberté / future Délégué à la Protection des Données ( Data Protection Officer).
However, this situation is not widespread, and is more the exception than the rule.
In all cases, you need to go beyond the traditional notion of an audit that points out bad behavior, and move towards a more global approach that takes into account :
- Your business context - all the more important in view of the RGPD ;
- Your business context ;
- Your IS context;
- Your human context.
Nuageo, through GDPReady, can support you in this move towards the RGPD:
- we bring a cross-functional vision of your contexts in light of RGPD issues,
- we propose a roadmap,
- we support you in managing and achieving the objectives of this roadmap, which goes beyond purely legal or technical issues.
The real challenge is to give you the means to deliver the added value your business needs, while respecting the confidentiality of personal data.
Article written by Alexis Quentrec, RGPD specialist at Nuageo, Cabinet de Conseil Cloud Computing.
Article translated from French