Could you explain what But International has done with respect to implementing the European regulation?
We've been working on this issue for a number of years already, primarily since we decided we wanted to set up an e-commerce website. Over time, we were faced with the problem of risks to customer data. We had to create a CISO because of the use and enrichment of customer data, and the transformation of our IT infrastructure (from flat files to data buses – ESB). One of the goals is to review all our processing in order to comply with the CNIL's requirements. Two years ago, we set up a privacy by design process to protect the security of sensitive data right from project start-up. This lets us get the information we need to prepare reports. Customer data is at the heart of the process. We're also creating a data dictionary on each of our projects in order to determine how customer data is used.
How is this seen in the company and by your service providers?
General management pushes and supports my work securing the information system, and customer data in particular; it's essential in the commerce sector.
I get help from Garance Mathias who is providing assistance on legal aspects for this project and who worked to raise the management committee's awareness. Still, there are blockages both in house and externally. The first obstacle is getting everyone to understand that technical security tools need to be applied. Plus, there are financial hurdles because you have to justify investments, but generally, I get the resources I need. This is why we can't consider ourselves to be completely compliant with the CNIL report recommendations.
Where do you start?
A few months after starting this job, I defined a strategy to increase our information system's resistance to intrusions, both internal and external. With our partner SOLUCOM we defined twenty intrusion tests per year for the entire IS and all our projects – during the pre-acceptance stage – to detect vulnerabilities, establish a remediation plan and implement a security management process over time. For our suppliers, we state our security demands in calls for tenders and prefer suppliers who already apply this concept. For our long-term suppliers, we've started a review of all our contracts with the legal firm to identify protection elements for sensitive data like customer data.
How do you stay up to date?
I act as CPO although it's not my official title, and so I'm familiar with personal data issues. I also took a course and I learn a great deal from Garance Mathias. Bit by bit we're building a solid team. And last, I aim to raise the awareness of the company's 6 500 employees on how to use information systems and related risks, as well as on protecting customer data, which means I travel a great deal in France. I also write articles for our in-house publication and have created an interactive e-learning program.