RGPD: Who is affected by this new European regulation?

The General Data Protection Regulation, also referred to as "RGPD", or "GDPR" in reference to the English name, will come into force on May 25, 2018.
This European regulation establishes and reinforces new obligations regarding the use (i.e. processing) of personal data of European nationals.

What is personal data?

Personal data is data linked to a physical person, and which characterizes that person. Typically, this includes surname, first name, address, e-mail address, but also date of birth, IP address... In short, any information that makes it possible to identify a natural person directly or indirectly.

The challenge of the RGPD is to provide a framework for this data when it is processed. By processing, we mean the use of data through an IT service in order to achieve a specific goal.

For example, data may be processed to send a newsletter to all those who have given their consent: the email address (possibly including first and last names) is processed to send the newsletter.
Processing can also involve the compilation of statistics to gain a better understanding of customers, using Big Data tools to profile the customer base.
Last but not least, we must not forget a case that concerns all companies without exception: payroll management also involves the processing of personal data.

What obligations must be met?

As its name suggests, the regulation concerns the protection of personal data. The 88 pages of the regulation set out a framework to be respected and built upon. We've listed a few notable points below.

Far from listing the technical points to be met, the regulation above all requires every company to know precisely what data it holds, how it is processed, and by whom/what.
This leads to the keeping of a processing register, a reference guide to clearly and quickly identify the stakeholders and data concerned in the event of a security incident.

The regulation also provides a framework for the behavior that companies must promote towards end-user data, namely greater transparency and accountability.
Particularly noteworthy are the obligations to inform users in advance of how long their data will be used, and above all for what purposes, in a precise and explicit manner.

The appointment of a Data Privacy Officer is also essential. Indeed, the latter is the main architect of compliance with RGPD obligations: responsible for impact analyses, point of contact with end users and the authorities, he or she embodies the keystone of RGPD compliance.
This guarantor of the RGPD can be common to several companies, particularly in the same business sector: the DPO can thus be a force for proposal to guarantee the security of personal data within different departments, but offering the same protection for personal data processed.

Finally, through the DPO, companies will have to notify the competent authorities of any data leaks within a maximum of 72 hours of becoming aware of them. The obligation to inform users whose information has been leaked is also set out, and must be accompanied by the means implemented to remedy the problem.

Who is subject to this regulation?

This regulation applies to companies that process the data of European citizens, or of individuals on European territory. These obligations apply to any company operating in Europe, and therefore naturally to all companies established in Europe.

Finally, the case of companies established abroad but processing personal data for the benefit of European companies are also affected by the RGPD.

Thus, there is no difference between publishers and user companies: the same concern for personal data protection applies to both types of company.

Deterrent penalties

Compliance with this regulation must become a key element of corporate strategy: failure to take real and serious account of the regulation's obligations can result in heavy penalties.

Penalties for simple breaches can be as high as 2% of the company's sales (in the case of a company belonging to an international group, 2% of the group's sales) or up to 10 million euros.
In the case of serious misconduct, the penalty is doubled. In all cases, the higher amount is retained.

Beyond the financial damage, the repercussions will be greatest in terms of the offending company's image. For the aim of this regulation is not to punish data leakage, but to prevent risky behavior by companies with little regard for personal data.

Publishers and users, the same battle?

If they have to satisfy the same need to protect personal data, there is a common lever: these obligations embody an opportunity.

Indeed, this regulation was designed to enable any user of a service to regain control over data that is communicated fairly easily and processed sometimes with little regard for its purpose.

This opens the door for companies and publishers wishing to promote an image of respect and integrity, by promoting the ethical handling of personal data.
To do this, anticipate the obligations of the RGPD by proposing, for example, that users:

• To take control of their data and the use made of it by clearly and precisely listing the various processing operations with the option to opt-in.
• Port their data by exporting it in a standard format (csv, rtf, etc.).
• Clearly and simply delete their data from a dedicated space.
• Have a dedicated point of contact for all data processing queries.

For a publisher, the added value will consist in positioning itself as a facilitator, and giving its customers the means to play an active role in the following areas in particular:

• Data control (location, masking/encryption, etc.).
• Communication in the event of an incident.
• Transparency in terms of access and protection measures.
• A dedicated point of contact for all questions relating to data confidentiality and processing.

A race already in the final sprint

The RGPD comes into force tomorrow. To ensure compliance with the obligations set out in this regulation, it's essential to get to grips with it now, and anticipate the efforts required.

Indeed, knowing and mastering one's data assets is intense work, which must be carried out by business teams whose concerns are far removed from these issues.
All players must cooperate and coordinate to ensure compliance with the RGPD: seizing the profound challenges of this regulation is a real opportunity to offer differentiating value, in a data-related context that is undergoing lasting transformation.