The EU General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. This regulation prompts companies to demonstrate their rigour through certification. AFNOR Certification offers one such certificate. Here we take a look.
Not a week goes by without some new data leakage incident following negligence or a cyber attack. Disclosed e-mail addresses, hacked customer data… The latest scandal to hit the headlines was in November 2017, when giant Uber announced the theft of data concerning some 50 million users. The fact that the platform waited a full year before revealing the breach illustrates how sensitive this subject is!
In the space of a few years, personal data security has become a major issue for companies that use or collect this data, for companies that do so for others, as well as for private individuals, who are increasingly unwilling to disclose their data. Today, this issue goes well beyond the scope of privacy; it now encroaches on the economic sphere.
GDPR: France well prepared
France has benefited from a stringent regulatory framework since 1978 in the shape of the CNIL (Commission nationale de l’informatique et des libertés – National commission for personal data protection and privacy). However, as of 25 May 2018, Europe will shift up a gear with its General Data Protection Regulation (GDPR), a coercive measure finalized in 2016, referred to by a French draft bill that deals more broadly with personal data, and which is intended to touch up its national personal data protection and privacy law. “The GDPR reiterates many existing legislative provisions, such as the right of access to data, the right to rectify data, or portability,” explains Sandra Di Giovanni, Head of the AFNOR Certification Digital Confidence division. “But it also introduces new rules for greater protection.” Thus, for example, companies will have to subscribe to the principle of privacy by design, i.e. the ability to prove that, right from the design phase of an IT tool that uses personal data, the protection of this data has indeed been integrated. In some cases, companies will be required to appoint a data protection delegate.
Another new aspect is the recognition of subcontractors. “In 2014, the CNIL condemned a French telephone operator from which data concerning 1.3 million customers and prospects was stolen. The investigation revealed that the breach came from a service provider”, says Benoît Pellan, Project Manager for AFAQ Personal Data Protection, the distinctive “seal” that AFNOR Certification is currently developing for the benefit of companies seeking to show their credentials. Under the GDPR, contract givers will now have to make sure that their subcontractors also observe security regulations, and are able to quickly inform them of any personal data breach. “We often face complex lines of command in which responsibilities may appear to be blurred. The new regulation clarifies the roles and obligations of the data controller, the co-data controller and the subcontractor, for example by setting out the necessary clauses in a contract” continues Benoît Pellan. Moreover, these rules do not only concern European companies: any structure that collects and processes personal data in relation to EU citizens shall be required to enforce these obligations, whatever its location.
Proving good faith
So how can your company protect itself? AFAQ Personal Data Protection, the new seal of trust developed by AFNOR Certification along with the Artemont firm, seeks to obtain the CNIL’s accreditation, once it has defined the conditions. For the holder, this will confer a presumption of GDPR compliance. Once issued, this certificate will be valid for three years, subject to an annual monitoring audit. “This audit comprises a documentary phase and an audit phase to analyze the efficacy of the procedures put in place to manage personal data,” points out Benoît Pellan. The certification does not give a free hand; it represents an element of proof, in case of control, to certify that the company has implemented all possible means for compliance.
In this respect, article 42 of the GDPR encourages the certification process as being “voluntary and achievable via a process that is transparent”. The text states that “The specific needs of micro, small and medium-sized companies shall be taken into account”. However, it also implicitly endorses a powerful notion: the certification clearly offers a form of economic benefit. “It creates an environment of trust between partners. It will allow a prime contractor to rely on the control by a third party when choosing its service providers. It could even become a criterion in requests for proposals”, stresses Benoît Pellan. So you’ve got months left to get going!