The EU General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. This regulation prompts companies to demonstrate their rigour through certification. AFNOR Certification offers one such certificate. Here we take a look.
Not a week goes by without some new data leakage incident following negligence or a cyber attack. Disclosed e-mail addresses, hacked customer data… The latest scandal to hit the headlines was in November 2017, when giant Uber announced the theft of data concerning some 50 million users. The fact that the platform waited a full year before revealing the breach illustrates how sensitive this subject is!
In the space of a few years, personal data security has become a major issue for companies that use or collect this data, for companies that do so for others, as well as for private individuals, who are increasingly unwilling to disclose their data. Today, this issue goes well beyond the scope of privacy; it now encroaches on the economic sphere.
GDPR: France well prepared
France has benefited from a stringent regulatory framework since 1978 in the shape of the CNIL (Commission nationale de l’informatique et des libertés – National commission for personal data protection and privacy). However, as of 25 May 2018, Europe will shift up a gear with its General Data Protection Regulation (GDPR), a coercive measure finalized in 2016, referred to by a French draft bill that deals more broadly with personal data, and which is intended to touch up its national personal data protection and privacy law. “The GDPR reiterates many existing legislative provisions, such as the right of access to data, the right to rectify data, or portability,” explains Sandra Di Giovanni, Head of the AFNOR Certification Digital Confidence division. “But it also introduces new rules for greater protection.” Thus, for example, companies will have to subscribe to the principle of privacy by design, i.e. the ability to prove that, right from the design phase of an IT tool that uses personal data, the protection of this data has indeed been integrated. In some cases, companies will be required to appoint a data protection delegate.
Another new aspect is the recognition of subcontractors. “In 2014, the CNIL condemned a French telephone operator from which data concerning 1.3 million customers and prospects was stolen. The investigation revealed that the breach came from a service provider”, says Benoît Pellan, Project Manager for AFAQ Personal Data Protection, the distinctive “seal” that AFNOR Certification is currently developing for the benefit of companies seeking to show their credentials. Under the GDPR, contract givers will now have to make sure that their subcontractors also observe security regulations, and are able to quickly inform them of any personal data breach. “We often face complex lines of command in which responsibilities may appear to be blurred. The new regulation clarifies the roles and obligations of the data controller, the co-data controller and the subcontractor, for example by setting out the necessary clauses in a contract” continues Benoît Pellan. Moreover, these rules do not only concern European companies: any structure that collects and processes personal data in relation to EU citizens shall be required to enforce these obligations, whatever its location.
Proving good faith
So how can your company protect itself? AFAQ Personal Data Protection, the new seal of trust developed by AFNOR Certification along with the Artemont firm, seeks to obtain the CNIL’s accreditation, once it has defined the conditions. For the holder, this will confer a presumption of GDPR compliance. Once issued, this certificate will be valid for three years, subject to an annual monitoring audit. “This audit comprises a documentary phase and an audit phase to analyze the efficacy of the procedures put in place to manage personal data,” points out Benoît Pellan. The certification does not give a free hand; it represents an element of proof, in case of control, to certify that the company has implemented all possible means for compliance.
In this respect, article 42 of the GDPR encourages the certification process as being “voluntary and achievable via a process that is transparent”. The text states that “The specific needs of micro, small and medium-sized companies shall be taken into account”. However, it also implicitly endorses a powerful notion: the certification clearly offers a form of economic benefit. “It creates an environment of trust between partners. It will allow a prime contractor to rely on the control by a third party when choosing its service providers. It could even become a criterion in requests for proposals”, stresses Benoît Pellan. So you’ve got months left to get going!
“Don’t wait until 25 May 2018!”Three questions for Benoît Pellan, Project Manager for AFAQ Personal Data Protection.
Benoît Pellan, Project Manager for AFAQ Personal Data Protection.
©DR
What will happen on 25 May 2018?
The CNIL affirms that this is not a cut-off date. It is obvious that not all companies will be mature with respect to this regulation by 25 May. However, they must have taken the first steps concerning the basics of the GDPR, and be able to demonstrate that they have initiated certain actions.
What role does AFAQ’s Personal Data Protection certification play?
Article 42 of the GDPR recommends companies to protect themselves through certification. This is the objective of our AFAQ certification. On the one hand, it proves the company’s good faith and proactive approach to protect personal data, which serves to reassure customers. On the other hand, it demonstrates a long-term structural commitment to ensure the sustainability and continuity of the means employed.
When should companies start?
As soon as you’re up and running! To issue the certificate, the auditor must have at least three months’ hindsight in order to trace the data concerned and monitor it over a sufficiently long period. That’s why we already offer a pilot version of this certification. It will be finalized starting in March 2018, once the CNIL and its counterparts have defined the eligibility criteria. We will then request official approval.
