In force in six months, the General Data Protection Regulation (GDPR) set up by Brussels worries companies. However, forced by the law Informatique et Libertés, they have already implemented steps to protect the personal data. If the new regulations are more restrictive, tools and best practices make it easy to comply with them. By Yves Pellemans, CTO of Axians France.
While many companies succumb to the panic of the GDPR, one must know reason to keep it. No need to cry out, the GDPR only reinforces the law of confidentiality of the personal data to which any French company had already to comply within the framework of the law Informatique et Libertés. Thus, the consent and transparency on the use of the data already required in the 1995 law are accentuated, the new regulation requiring the provision of clear, intelligible and easily accessible information to those involved in data processing.
The GDPR will not be a big bang of the data
On the other hand, new rights appear as the erasure of data and their portability, that is to say the right to any person to recover his data or to transfer them to a third party. Another novelty is the conduct of a full impact study on sensitive data, showing the characteristics of the treatment, the risks and the measures adopted.
But, relativis. If the GDPR presents novelties, it is not, for French companies, the big bang announced by some. Indeed, for the majority of them, the processing, storage and storage of personal data already met the ISO 27000 standards and the conditions of the CNIL. Finally, the digitization initiated by companies has already forced them to undertake a whole work on data management.
Mapping structured and unstructured data
Also, to meet the growing demands and novelties of the GDPR, companies will have to increase their knowledge of data. Regarding structured data, that is to say that contained in the business applications, companies will have to implement tools and best practices to identify personal data and guarantee, in case of a user’s request, its extraction, cancellation, deletion and anonymisation. This data, which accounts for 20% of corporate data, is easily auditable by business or application publishers.
On the other hand, the new requirements of the GDPR are more complex to implement on unstructured data. Totally dispersed in companies, they are managed by trades (HR, sales, marketing, general services, etc.), by internal and external users and are stored on file servers, in Dropboxes, on external hard drives , and others. It is therefore very difficult to know their place of storage and to identify the persons authorized to consult them.
Audits of these unstructured data are typically performed by IT infrastructure professionals who, using tools, determine the nature of the data on file servers or PDFs, whether it inside or outside the company. They map all the data, determine the nature of the data and identify the access rights. At the end of this inventory, they proceed to remediation plans defining the access rights according to the data. For example, only HR may be allowed to manipulate the driver’s license data of employees from the company’s company vehicle service.
Today, this unstructured data, described as the soft underbelly of the GDPR, accounts for 80% of the company’s data.
Europe has a culture of data protection
If there are only a few months left to comply with the GDPR, control bodies should be clement, in case of non-compliance, with companies that have initiated action plans and put in place tools to achieve all three or six months of audits on data management.
And to those who shout haro on the GDPR, it is important to remember that, unlike the great American liberalism on data, Europe has always had a protectionist attitude. The GDPR only reinforces its cu