CIO broadcast a web conference on the GDPR theme, year II – After compliance, it was time to rebalance customer relations on May 28, 2020. It was carried out in partnership with Netwrix, OneTrust, Sinequa and Talend. It has benefited from the support of the AFCDP, Cesin and Clusif.
Faced with the accelerating pace of sanctions and the increasing amounts at stake, it is high time that each company fully complied with the GDPR (European General Regulation for the Protection of Personal Data), two years after it was put in place. application. It is also time for companies to understand the advantages of a sound application of the GDPR, especially in customer relations. However, the CIO study What levers to make the GDPR an opportunity for companies? has shown that there are still many weaknesses. This study was presented at the Web conference | GDPR, year II – After compliance, make way for rebalancing the customer relationship released on May 28, 2020. The full recording is available here.
This web conference was carried out in partnership with Netwrix, OneTrust, Sinequa and Talend. It has benefited from the support of AFCDP, CESIN and CLUSIF. It made it possible to hear the testimony of Sarah Benguigui (DPO of the Monoprix Group), Philippe Loudenot (FSSI of the Social Ministry and Administrator of CESIN), Fabrice Mattatia (Delegate for Data Protection, Ministry of the Interior) and Etienne Papin (Associate Lawyer at Next Avocats). The Grand Witness of the morning was Sophie Nerbonne, Director in charge of Economic Co-Regulation at the CNIL (National Commission for Information Technology and Freedom). Its role is to support companies and professional organizations in complying with the GDPR. As a Grand Witness, she intervened several times over the morning to comment on the interventions.
“Take back control of customer data for responsible personalization” was presented by Philippe Romano, Commercial Director for France, Belgium, Luxembourg & Switzerland at Talend.
“At the center of the concern of many companies at the time of the GDPR, there is customer data” first pointed out Philippe Romano, Commercial Director France, Belgium, Luxembourg & Switzerland of Talend. In almost all European countries, fines of tens of millions have been imposed for non-compliance. Worse, it is the doubts concerning the respect of personal data which can slow down the growth of companies such as Zoom or the deployment of applications such as Stop-Covid. Philippe Romano insisted: “the digital economy works on trust. If your prospects have doubts about your respect for their data, you will have no chance of convincing them to follow you. The subject is so important that 50,000 DPOs are already in operation in Europe and this number will grow in the years to come.
But, among the difficulties of applying the GDPR, there is the processing of requests for access to personal data. According to Talend, 58% of companies fail to respond to requests within the legal deadlines and the average response time is 16 days at an average cost of 1300 euros per unit: that is to say how much the absence of industrialized process in the matter is detrimental. It is therefore necessary to set up a tool to consolidate access to personal data and allow its communication.
Sarah Benguigui, DPO of the Monoprix Group, presented her feedback: “Marketing in the era of the GDPR”.
The first to testify of her company’s approaches, Sarah Benguigui, DPO of the Monoprix Group, reviewed the choices made by this distribution brand, very urban in its establishment. Naturalia and Sarenza are also part of this group. “The DPO brings people who don’t usually do it to talk to each other, such as lawyers and computer scientists,” said Sarah Benguigui. At Monoprix, the DPO mainly discusses with the RSSI. Of course, Monoprix manages HR data, like any business, but above all manages customer data, in particular in connection with the loyalty program.
Customers’ purchases can be linked by name if the customers are in the loyalty program and thus allow personalized promotional coupons to be received. Sarah Benguigui stipulated: “it is a question of rendering service to the customer, either by suggesting a purchase which he would have forgotten in connection with another purchase, or by making him discover something new. If he is used to buying tomato sauce with pasta, pesto can also be highlighted. Once the data has been anonymized, it is also used for statistical purposes. “In these cases, the identity of the buyer has no interest: it is just a matter of analyzing purchasing behavior and drawing conclusions from it for the number of stores in operation, for example , weather, “said Sarah Benguigui.
Questions asked during the web conference
At Monoprix, are you a full-time DPO? Do you have collaborators? Relays within the departments? What is your basic training?
Sarah Benguigui is a full-time DPO with a Masters in Commercial Law from the University of Paris 1 Panthéon-Sorbonne and additional training in finance. As indicated during her interview, she is the pivot of a collaboration between IT and professions.
Consent or right to object for profiling? Is purchasing behavior analysis equivalent to profiling and requires specific consent?
Behavioral studies are carried out here on an anonymized statistical basis which are then applied according to conditions specified when joining the loyalty program. In her interview, Sarah Benguigui details this point.
Several questions around VSE subcontractors or suppliers to large groups. Each company is responsible for its own compliance.
“Risk analysis: a key exercise for data protection teams” argued Victoria Gardin, Offering Manager France at One Trust.
The processing of personal data involves a certain number of risks which should be analyzed. “Risk analysis is a key exercise for data protection teams” argued Victoria Gardin, Offering Manager France at One Trust. She returned, during her speech, to the different steps to follow in this risk analysis in terms of security or protection of personal data. The analysis can of course be motivated by regulatory reasons, possible cyber attacks but also, simply, by customer requirements, without forgetting the confidence of employees and the operational expectations of general management.
We must rely on various standards in terms of security or data protection such as ISO 27001, ISO 27005, Ebios, etc. Tools such as ISMS (information system security management systems) may be required. More than “privacy by design”, we must adopt “security by design”. Risk analysis of personal data may be mandatory. “It is necessary to set up a risk management methodology, to document the levels of risk incurred in terms of severity and probability” insisted Victoria Gardin.
Philippe Loudenot, FSSI of Social Ministries and Administrator of CESIN, testified during his feedback on “Legitimacy and security, the conditions for obtaining data”.
Among the most sensitive and risk-bearing data, there is of course social and health data. To talk about it, the next witness was Philippe Loudenot, FSSI of Social Ministries, also administrator of CESIN (Club of Experts in Information Security and Digital, today 500 members, all RSSI). The “social ministries” are those in charge of health and solidarity, that of work and that of sports. Like all FSSIs, Philippe Loudenot obviously works daily with the DPOs of the ministries in his area. Faced with very sensitive data, he obviously admits that “the first step is to carry out a risk analysis. Whether it is a risk analysis according to the expectations of the GDPR or according to the cybersecurity requirements, it is the same line, only the objective changes: protecting the structure or the citizens ”. Availability, integrity, confidentiality and traceability are in both cases the four axes of analysis.
“The RGPD recalled what the CNIL had said for 42 years” sighed Philippe Loudenot. These regulations made it possible to strengthen staff awareness of cybersecurity, implying a change in mentality. Today, integrity and availability, beyond just confidentiality, are thus fully taken into account by all. The FSSI is thus required to support establishments affected by a crypto-virus (ramsomware) attack.
“Five things to know to secure the security of your data today” pointed out Pierre-Louis Lussan, Director of Southwest Europe for Netwrix (in photo), with Thomas Limpens, Pre-sales engineer for Southern Europe West of Netwrix.
In terms of risks, the health crisis which led to the generalization of telework has highlighted the specificities of this practice. “Data is the focus of security efforts” argued Thomas Limpens, South-West Europe pre-sales engineer for Netwrix, even as data volumes explode, particularly unstructured data. Five steps must be observed: assess the risks (which begins with a census and purge of the stored data), prioritize the security of sensitive data, identify sensitive data that is over-exposed, control access rights (for example, delete obsolete accounts and excessive access rights) and finally preventively reduce exposure to risks. The tools offered by Netwrix support companies in these stages.
These tools make it possible to really trace the uses and take the appropriate measures. Pierre-Louis Lussan, Director of South-West Europe for Netwrix, underlined: “You have to know who really has access to what, when and where. In terms of teleworking, guaranteeing adequate access will guarantee the efficiency of the employee and not going beyond what is necessary, guaranteeing security. Especially since teleworkers’ terminals must be considered as “zero trust” .
Grand Witness of the web conference, Sophie Nerbonne, Director in charge of Economic Co-Regulation at the CNIL, explained the relationships between “Companies and the CNIL in the era of the GDPR”.
The Grand Witness of the web conference was Sophie Nerbonne, Director in charge of Economic Co-Regulation at the CNIL. This first recalled that the regulatory obligation was not limited to achieving data security and confidentiality, but also to documenting what has been achieved. “It is necessary to demonstrate compliance with obligations not only to supervisory authorities such as the CNIL but also to all partners, employees and customers” observed Sophie Nerbonne. Compliance is based on a chain of trust. For her, the health crisis will accelerate awareness because of the generalization of telework and thus the digitization of work.
To help compliance, the CNIL offers tools and methods. Sophie Nerbonne recognized: “It is true that the GDPR is a complicated text which lays down great principles which must be able to be adapted according to the situations”. Four axes must be respected to bring its IS into conformity: identify the data available, sort the data to guarantee its relevance and legality, ensure respect for personal rights and finally guarantee security. The tools and methods are organized around these four axes.
Questions asked during the web conference
What benefit can GDPR compliance derive from a benchmark or information system mapping tool?
Having an inventory of all treatments is in itself an obligation of the GDPR and it is a prerequisite for an analysis of flows and risks.
Is the use of this type of tool to be preferred in collaboration with an expert within the information systems department?
The analysis of the information system requires at least collaboration with the ISD.
“Finding the data takes time … Finding it even more!” Said Adrien Gabeur, Director of Cognitive Solutions at Sinequa.
The inventory of data therefore an essential step. But it is still the case that this inventory is exhaustive. To ensure this and facilitate the communication of personal data to the persons concerned when making the request, the use of a search engine can be useful. Sinequa thus makes it possible to analyze in depth the heritage of data, in particular unstructured data. “According to a study we conducted, 44% of companies do not have complete visibility of their unstructured data and 41% have difficulty locating personal data”, noted Adrien Gabeur, Director of Cognitive Solutions at Sinequa.
Finding personal data is often a very manual process, therefore time-consuming, expensive and inefficient. A solution like Sinequa’s addresses this problem in five stages. First, it’s about connecting the tool to the data. The content is then analyzed using NLP (natural language processing) type technologies. Advanced detection is then based on machine learning. Users must then view the sensitive data reported. Finally, you must be able to export the data to third parties (in particular applicants).
Etienne Papin, associate lawyer at Next Avocats, gave feedback on GDPR compliance and similar regulations as seen by companies.
Compliance with the GDPR should no longer be an issue, two years after the text is implemented. However, it is not the case. “There are no precise statistics on the subject but, according to the companies, the situation is very mixed, some having quickly put themselves in working order to guarantee this conformity, others not” recognized Etienne Papin, lawyer associated with Next Avocats. The size of the company does not discriminate on the seriousness of compliance according to Etienne Papin.
The worst is perhaps that, as Etienne Papin points out, “the issues remain the same today as on the first day, starting with understanding these regulations. Appointing a DPO is good, but it is only the beginning. And it is still necessary that the DPO is sufficiently trained. Many companies have discovered legal principles which, in France, have existed since 1978 … The first tool is of course the inventory of data processing. “It’s incredible the number of business processes that continue to rely on exchanging Excel files by email, which is a horror in terms of compliance,” said Etienne Papin.
Fabrice Mattatia, Data Protection Officer at the Ministry of the Interior, detailed during his feedback the establishment of a “Data Culture in very sensitive environments”.
Last witness of the morning, Fabrice Mattatia, Data Protection Officer at the Ministry of the Interior, is also the author of a work published by Eyrolles, “RGPD and personal data law”. This work makes a legal point beyond the only GDPR: “we too often forget a whole series of satellite texts, in particular sectoral” as indicated by the author who tried to explain the texts in a pragmatic way.
The Ministry of the Interior processes large quantities of sensitive data on individuals and, above all, subject to just about all possible texts on personal data, including specific clauses of the GDPR. But Fabrice Mattatia also noted: “private actors (Facebook, Google …) ultimately have much more information than us, for example what time you get up, what sites you visit, etc. But the data is very sensitive, however. Fabrice Mattatia thus explained the methods and approaches to develop the culture of personal data in this large house, a need that dates from before 1978.