Debate with :
Paul-Olivier Gibert, President of Association Française des Correspondants à la Protection des Données Personnelles; Matthieu Grall, Manager of the Technological Expertise Department at CNIL; Didier Henin, CISO at BUT International; Garance Mathias, Lawyer; Stéphane Omnes, DPO at Adéo Services.
Moderator: Florence Puybareau, Journalist
On 14 April, Le Cercle held a debate on Europe's new legislation. Organisations have two years to prepare with huge amounts of work to be done with CISOs on the frontlines.
Just by chance, European Parliament voted to adopt the regulation on the same day Le Cercle already planned to hold a debate on personal data protection under the new European regulatory framework. Spurred by the timeliness, the speakers at the round table underscored the urgency for private and public organisations, multinationals and SMEs to get to work to be ready to apply the new legislation in 2018. Matthieu Grall, Manager of the Technological Expertise Department at CNIL reviewed the context in which the regulation was adopted after years of work and undergoing several versions: "Because of social and technological evolutions, growing numbers of people are processing personal data. This pressed authorities to frame its use." It hardly bears repeating that we're all affected: citizens will have better control over their data, companies will have fewer formalities to deal with but greater responsibilities – especially subcontractors – and monitoring authorities will see their powers expanded.
Complex work for CISOs
One of the major innovations of the regulation is that companies (despite a few exceptions) will be required to appoint a DPO (Data Protection Officer). Paul-Olivier Gibert, President of AFCDP, association of DPOs, believes that the DPO will be the one to implement the regulation. This person will have to combine legal and technical skills and be able to take the message to the highest levels in the company. Although the DPO is at the heart of the process, the entire company will have a lot to learn, because, as Garance Mathias, lawyer, explained, "there are many steps". From risk mapping to rewriting subcontractor contracts to setting up personal data privacy violation notification processes, CISOs will be very busy in coming months, though they won't be alone. Stéphane Omnès, DPO at Adéo Services took a legal course and obtained assistance from a legal firm to ensure he was up to the task. This is especially important since he works for an international group with many subsidiaries inside and outside Europe. "One of the hardest things will be to find local DPOs. But even if applying the regulation will be complex, CISOs can handle it." Didier Hénin, CISO at BUT International, followed the same path, backed by his general management, because "in a sector like ours, customer data is worth its weight in gold". Didier Hénin set up various processes, starting with privacy by design which integrates security in every stage, right from product design. Intrusion tests are also conducted regularly and he leads training courses for the brand's 6 000 employees.
The evening's discussion was a first look at a topic that is likely to be of great importance for companies in coming years. Several questions already come to mind, like health data, for example. But that will likely be the topic of other debates.