GDPR: after May 25, what actions in the medium and long term?

Posted by admin Digital Marketing

Scenario after GDPR compliance measures

What’s next after the main GDPR compliance procedures? What actions can be taken in the medium and long term? Should we wait for laws for specific cases or scenarios?

Here, we will look at some expert recommendations.

On May 25, 2018, once the main provisions to comply with the new GDPR regulation have been implemented, any new actions must be compliant from the design stage and be adequately protected. However, there will still be much to do. When the main indicators have been treated as a priority, we must continue advancing on the projects presented in the roadmap to avoid the risk of being exposed to sanctions and fines. The regulation does consider that the position of DPO (delegate of data protection) is indefinite. It is part of the continuous improvement process. It is therefore a question of continuing with the application of the best procedures. They may be actual IT projects or programs to engage in traditional 6-18 month delays that have been noted by many experts.

Faced with the Risks of Collective Actions

No one knows exactly what actions and what control will be exercised. On the other hand, it must be understood that organizations are exposed to collective actions by users, clients or consumers, although the risk of being an infringer is always real.

Among the works of medium and long duration, reference can be made to the right of access (with rectification, opposition and deletion); as well as the right to portability that will allow interested parties to recover a file electronically transferable to a third party, typically in the event of a change of provider.

The information/communication component can also be an important program. In particular, it is vital to be transparent about the purpose of the actions. For example, if I give my personal data for a specific service; it is not about using them for another purpose.

Therefore, it is important to ensure that data collection modalities are fair, legal and transparent. If applicable, for “near-shore” or “off-shore” administrative processing (for example, inquiry or troubleshooting centers in Southeast Asia), it should be reported that the data is likely to be displayed outside of the EU.

Business Opportunities and Review of your Digital Strategy

Respecting the new regulation can open up real business opportunities:

“If one is positive, this overlapping of regulatory constraints can become a gold mine.”

By putting themselves in order, companies will be able to communicate their competitive strengths to their customers. They can, for example, declare that they do not monetize the use of personal data or that they do so in their interest by obtaining their adherence. For example, the choice of the point of sale or the contact points that have chosen the service.

Such an approach encourages you to create or at least reconsider your digital strategy. It leads to the restructuring of the processing of databases, including private data. For example, it shows that

Not only do I respect the regulations in the eyes of my users or clients, but I propose to them, being transparent, that they take advantage of them to improve the service.

Principle of Responsibility

This transparent approach is more appropriate for all major groups. The principle of responsibility between the subcontractors and the collector and owner of the data (and never “owner” because the data remains the property of the people). The data collector is responsible for the correct application of the rules by its subcontractors.

Advances in Legal and Information Technology

You have to be pragmatic. You must intervene in the legal, technical and other aspects of the data. There are tools, such as the DPPS (Data Protection Impact Assessment) that not only allow you to facilitate various tasks but also codes of conduct and good practice guides such as the ICO (UK).

The mapping of personal data, in files or applications, can involve hundreds of actions. Therefore, it is recommended to design a prioritization plan based on the nature and sensitivity of the data.

The implementation of security and traceability procedures is also, in itself, a process of continuous improvement.

Therefore, you are welcome to perform diagnostics or compliance audits of the company. You can then act on an ad hoc basis based on the impact assessment. In some respects, it may be appropriate to resort to some support.

The limits of encryption

Upstream encryption is recommended, especially in the case of payment procedures or financial transactions such as Pci-Dss protocols. But it can be very tedious for some organizations. It can take a long time, and it can be cumbersome for high-volume, low-information historical databases (such as newsletter recipient files). Not consistently recommended as this may be disproportionate in some contexts.

Minimization, anonymization and pseudonymization

Applying the minimization principle allows less data to be exposed by collecting only the data that is truly useful and necessary in the context of the stated purpose.

We should not focus on technical cartography, but on identification, the right to identity in a limited space and qualification. “Can we keep this data? Yes, if we can’t do something else.”

Anonymization, which is irreversible, is a good approach under the law, if strong confidentiality needs to be ensured, while pseudonymization (which allows going back) remains debatable, even if it is legally valid. But again, the processes are tedious and expensive if done afterwards.

Right to Information and Deletion

The right to information, which is also the right to question, must also continue to be a concern, “in a proactive and dynamic manner.”

The obligation to delete or purge raises the question of how long the data should be kept, which depends on its nature and the contractual commitments or general conditions. So there is an impact on the action. This chapter also raises questions about the duty of memory, the right to history, but it also refers to freedom of the press, which aims to preserve the memory of events.

In the Long Term, Jurisprudence and Readjustments…

On balance, GDPR compliance is an ongoing process. The GDPR regulation is an inflation of articles, twenty more, compared to the 1978 law, that is, 99 articles, which are introduced by 173 ‘recitals’ with as many possible interpretations. However, nothing is clear enough, but the litigation cases will focus on certain points.

Finally, we note that the bets are global and frontal. The legal principle is the most important part of GDPR, however, it is not a matter of freedom but of dignity, and respect for the dignity of people.

Leave a Reply

Your email address will not be published. Required fields are marked *