THANK YOU FOR SUBSCRIBING
Keeping Up With Changes In Data Protection Laws
Jennifer Godin, Group Data Protection Officer, Roquette
In today's digital world, a company's information assets are more than ever a source of value, while being subject to new risks for which cyber-security has become a major issue at global, national and societal levels.
These new uses (social networks, Cloud Services, connected objects, etc.) have seen the number of personal data multiply, as well as their collection and associated processing, thus creating new challenges in terms of data protection and privacy, whether for institutions, businesses and individuals.
Personal data protection laws and regulations have evolved significantly around the world, in order to strengthen the rights of individuals, guarantee new ones, and empower stakeholders. This induces new obligations for companies.
In Europe, with the application of the GDPR since May 2018, the appointment of a Personal Data Protection Officer is required or strongly recommended, and this trend continues to grow in order to steer the legal and IT measures to be implemented to guarantee a group's compliance with these requirements.
A company based in France, with European subsidiaries, can have a lead authority, which in this case will be the CNIL. If a delegate is appointed for this group, she/ he must be easily reachable from each place of establishment. She/he must indeed be able to communicate effectively with the persons concerned and to cooperate with the supervisory authority.
If in addition, other subsidiaries and establishments are based outside the EU, it may be required to have a local DPO, and at least it will be necessary to have coordinators.
Thus a DPO of an international group will need to set up a Network of local DPOs. Several strategic and operational questions then arise.
The challenges of appointing and managing a network of correspondents and representatives for the protection of personal data led by a Group DPO are at three levels:
From a strategic point of view: the implementation of a compliance program, allowing the application of a Group policy on the protection of Personal Data, dedicated governance, harmonization of practices, support for the dissemination and strengthening of the culture of data protection and respect for privacy with limited costs.
The DPO will play a conductor role to harmonize internal processes and deploy a culture of privacy
From an operational point of view: have an identified and adapted contact within each entity, quickly have relevant information on operational reality and local legislation, have a local coordinator on the application of the Group policy and, where applicable, local requirements.
Local DPOs must be trained in the principles of protection of personal data and made aware of respect for privacy, informed of the missions of the Group DPO and the tasks incumbent on them, as well as internal procedures such as those on the registration of new data processing activity or on the exercise of Data Subjects Rights. Local DPOs will also have to keep themselves informed of legislative and regulatory developments in this area with local stakeholders and professional networks.
To fulfil their missions, the Group DPO and her/his network of local DPOs and experts need specific budgets for the valuation of time spent, the use of communication tools and dedicated business tools: Data Mapping, Data Subject Requests, Incidents Response and Data Breach Notification, Consent Management, Privacy Impact Assessment, Vendor Risk Management, Cookie Compliance etc.
The Group DPO must have an effective internal positioning in order to be able to report directly to the highest level of the company and also to lead the network of DPOs and local correspondents within the group's subsidiaries and to have access to a team of inhouse experts: IT experts, security experts, lawyers, communication experts, translators, etc.
To be efficient and pragmatic, the governance of a Data Protection Compliance Program and Network requires the establishment of a Data Protection Management System according to a risk-based approach and a principle of continuous improvement (Plan-Do-Check-Act), like an Information Security Management System.
To operationalize a privacy program to effectively achieve privacy by design, DPOs, chief information security officer, business contributors, lawyers and digital experts can use a Global Privacy, Security & Data Governance platform.
The DPO will play a conductor role to harmonize internal processes and deploy a culture of privacy.
A culture of privacy provides a shared understanding of how personal data can and should be used to support broader strategic objectives.
This improves the ability of a Privacy & Data Protection program to execute and drives alignment with other teams, increasing their understanding of and desire to support the achievement of Compliance goals.
All these lead to the biggest benefit of all: getting the highest and best use out of personal data — both for an organization and individuals.
In a Privacy & Data Protection program operating within a culture of privacy, legal compliance should be one result of a successful program, not the goal.
An equally important focus is how Data Protection supports other business objectives.
Ethics is increasingly talked about in terms of a key brand value for companies—and data ethics is a key part of that.