Scenario after GDPR compliance measures
What comes after the main GDPR compliance procedures? What actions can be taken in the medium and long term? Should we wait for the laws for specific cases or scenarios?
Here, we will look at some expert recommendations.
On May 25, 2018, once the main provisions to comply with the new GDPR regulation have been implemented, any new action must comply from the design stage and be adequately protected. However, there will still be much to do. When the main indicators have been treated as priorities, we must continue advancing in the projects presented in the roadmap to avoid the risk of being exposed to sanctions and fines. In fact, the regulation considers that the work of DPO (data protection officer) is permanent. It is part of the continuous improvement process. It is therefore about continuing with the application of the best procedures. They can be actual IT projects or programs to engage in traditional 6-18 month delays that have been observed by many experts.
Facing the Risks of Collective Actions
No one knows exactly what actions and what control will be exercised. On the other hand, it must be understood that organizations are exposed to collective actions by users, clients or consumers, although the risk of being an offender is always real.
Among medium and long-term works, reference can be made to the right of access (with rectification, opposition and deletion); as well as the right to portability that will allow the interested parties to retrieve a file electronically transmittable to a third party, typically in the event of a change of provider.
The information/communication component can also be an important program. In particular, it is vital to be transparent about the purpose of the actions. For example, if I give my personal data for a specific service; it is not about using them for another purpose.
Therefore, it is important to ensure that data collection modalities are fair, legal and transparent. If applicable, for “near-shore” or “off-shore” administrative processing (for example, inquiry or troubleshooting centers in Southeast Asia), it should be disclosed that the data is likely to be displayed outside the EU.
Business Opportunities and Review of your Digital Strategy
Compliance with the new regulation can open up real business opportunities:
“If one is positive, this overlapping of regulatory restrictions can become a gold mine.”
By getting in order, companies will be able to communicate their competitive strengths to their customers. They can, for example, state that they do not monetize the use of personal data or that they do so in your interest by obtaining your membership. For example, the choice of the point of sale or the contact points that have chosen the service.
Such an approach encourages you to create or at least reconsider your digital strategy. It leads to the restructuring of database processing, including private data. For example, it shows that
Not only do I respect the regulations in the eyes of my users or clients, but I propose, being transparent, to take advantage of them to improve the service.
Responsibility Principle
This transparent approach is more appropriate for all major groups. The principle of responsibility between the subcontractors and the collector and owner of the data (and never “owner” because the data remains the property of the people). The data collector is responsible for the correct application of the rules by its subcontractors.
Advance in Legal and IT
You have to be pragmatic. You must intervene in the legal, technical and other aspects of the data. There are tools, such as the DPPS (Data Protection Impact Assessment) that not only allow you to facilitate various tasks, but also codes of conduct and good practice guides such as the ICO (UK).
Mapping personal data, in files or application, can involve hundreds of actions. Therefore, it is recommended to design a prioritization plan based on the nature and sensitivity of the data.
The implementation of safety and traceability procedures is also, in itself, a process of continuous improvement.
Therefore, you are welcome to perform company compliance diagnostics or audits. You can then act on an ad hoc basis based on the impact assessment. In some aspects, it may be convenient to resort to some support.
The limits of encryption
Upstream encryption is recommended, especially in the case of payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organizations. It can be time-consuming, and can be cumbersome for high-volume, low-information historical databases (such as newsletter recipient files). It is not routinely recommended as this may be disproportionate in some contexts.
Minimization, anonymization and pseudonymization
The application of the principle of minimization allows to expose less data by collecting only the data that is really useful and necessary in the context of the stated purpose.
We must not focus on technical cartography, but on identification, the right to identity in a limited space and qualification. “Can we keep this data? Yes, if we can’t do anything else.”
Anonymization, which is irreversible, is a good approach under the law, if strong confidentiality needs to be ensured, while pseudonymization (which allows going back) remains debatable, even if it is legally valid. But again, the processes are tedious and expensive if done later.
Right of Information and Deletion
The right to information, which is also the right to question, must also continue to be a concern, “in a proactive and dynamic manner.”
The obligation of deletion or purification raises the question of how long the data must be kept, which depends on its nature and the contractual commitments or general conditions. So there is an impact on the action. This chapter also raises questions about the duty to remember, the right to history, but it also refers to freedom of the press, which aims to preserve the memory of the events.
In the Long Term, Jurisprudence and Readjustments…
On balance, GDPR compliance is an ongoing process. The GDPR regulation is an inflation of articles, twenty more, with respect to the 1978 law, that is, 99 articles, which are introduced by 173 ‘recitals’ with as many possible interpretations. However, nothing is clear enough, but litigation cases will focus on certain points.
Finally, we note that the bets are global and frontal. The legal principle is the most important part of GDPR, however, it is not a matter of freedom but of dignity, and respect for the dignity of people.
