best practices to apply in business

Jérôme de Mercey, co-founder and COO of Dastra

Jérôme de Mercey co-founded Dastra with the aim of making personal data protection operational. A lawyer by training, he worked for 6 years at the CNIL in the litigation department and noted the lack of treatment of the subject in the organization. Head of customer relations at Dastra, supports new users on the platform to help them master the management of personal data.

How has GDPR compliance become a major issue for businesses today?

Protecting personal data means having good IT hygiene. The proliferation of tools and services in organizations generates an explosion in the use of data, much of which is personal. Businesses must be able to manage well and effectively to maintain their business. Indeed, many risks weigh on organizations, whether financial via a fine or blocking of activities due to lack of data security, or reputation via the ” name and shame“.

The protection of personal data is now part of a broad framework of ethics, CSR and cybersecurity. It is no longer an isolated obligation. This regulation also marks a new approach in regulation and requires organizations to demonstrate that they are compliant (accountability) without waiting for the regulator to intervene. So there is a lot of documentation to put in place.

Which services or departments are most affected in the organization?

The sales/marketing department is at the forefront of business prospecting activities, which can generate numerous complaints from increasingly alert prospects about data usage. The HR department has historically been very impacted because the data processed are very sensitive and often requested in the context of litigation with employees.

In your opinion, what are the main best practices to follow in order to be GDPR compliant? Do you have concrete examples?

It is important to put resources into the subject and include it in the general strategy of the company. This requires internal governance, communication, business tools for the management of personal data, as we offer in Dastra, and an infusion of good practices in the company’s activities. This is why the involvement of business lines is essential.

For example, procurement departments must take into account the criteria for compliance with the GDPR when purchasing tools or services, and thus collaborate with the “knowing” (legal department, DPO, head of privacy, etc. ). In each department, it is necessary to ask questions that are more often common sense: how is this data useful for me? How long do I keep them? Who has access? Do you know how my service works?

Most of the time, it’s mainly about knowing your environment and asking yourself: wouldn’t it be an opportunity to optimize, to do a little cleaning?

How to establish a good management of cookies on a site? What are your tips in this regard?

Cookies are a subject that is however complex because it does not stop at simple cookies. It is also necessary to see everything that goes through the network and to be able to understand for each request the utility and the recipients. It is therefore necessary to solicit the “experts”: the website development teams and challenge them on what is deposited, read and requested by navigating the site. Then you must translate these behaviors and qualify them in terms of regulations, set a cookie banner and seek the consent of Internet users if justified. The easiest way is to go through a specialized tool or look for recommendations for the implementation of this banner. You can also read the CNIL guidelines on the subject, which are very explicit.

The CNIL clarifies the situation on cookie walls

What kind of tools can help companies ensure they are GDPR compliant?

There are many tools to ensure GDPR compliance. Some of them specialize in privacy-enhancing technologies (privacy-enhancing technology), which allows you to respond directly to the obligations of the GDPR. For example, a tool for data anonymization, automated data purging, etc. To organize compliance with the GDPR and allow the implementation of all actions, tools like Dastra allow you to implement internal governance and manage all internal processes.

The GDPR requires the maintenance of data records. Data governance tools allow you to establish the processing record, the security incident record, the monitoring of requests to exercise rights, the monitoring of compliance actions and risk management. At Dastra, we also offer compliance monitoring through an audit functionality to manage compliance over time. Compliance with the GDPR is an ongoing process and must be documented to meet the obligationaccountability.

What are the risks associated with companies that do not comply with the requirements of the CNIL?

The risk of a fairly simple sanction. Cooperation with supervisory authorities is an obligation enshrined in the GDPR. Bad faith is a criterion to aggravate the administrative response, which can go up to a financial penalty of up to 4% of the worldwide turnover, or 20 million euros in the limit of the higher amount. We have noticed that the number of sanctions is constantly increasing and that the financial amounts are increasing. Today, the CNIL is no longer the only one to decide the amount of a sanction, the other European authorities have their voice and can ask for a higher amount than that proposed by the CNIL. It happened recently with the ACCOR group. The CNIL proposed a fine of 100,000 euros, but the European mechanism raised the penalty to 600,000 euros.

It should be known that the resources of the CNIL are increasing and also its response to the litigation. She sent several hundred formal notices about cookies last year. Continue this year on website security. In addition, it has a new power to impose fines of a maximum amount of 20,000 euros in a simplified procedure, in particular to simplify the administrative response to the thousands of complaints it receives.

As part of the Nantes Digital Week festival, it will co-host the conference “GDPR, evaluate your compliance and prepare well”. Can you tell us a few words about it?

The purpose of our conference will be to review the best practices to adopt to comply with the GDPR. We, together with Matthieu Camus from Privacy Impact, worked together with the CNIL before collaborating on numerous compliance files with clients. The GDPR has passed its 4 years now, and we want to return to the state of compliance to support the fact that nothing is ever certain on this subject and that, to fully respond to the obligations, it is necessary to be prepared to receive it. a check from the CNIL. It is in this spirit that we will animate this workshop. How do we know where we are and are we ready in case of an inspection? The aim is educational, but also centered around the sharing of experiences. This workshop will be dynamic and collaborative.

Leave a Comment

Your email address will not be published. Required fields are marked *