2. The GDPR at a glance
Risks & Challenges
Opportunities
3. What’s GDPR ?
« This regulation […] sets out the rights of the individual and
establishes the obligations of those processing and those
responsible for the processing of the data. It also establishes
the methods for ensuring compliance as well as the scope of
sanctions for those in breach of the rules. » *
* preamble of the European Council
4. When ?
Entered into force on 24th may 2016
Applicable as from 25th may 2018
But :
End 2014, 52% of surveyed companies were not ready for it; 56% did
not know exactly what the acronym "GDPR" corresponded to 1
Sept 2015 : if 2/3 (69%) of IT professionals had realized that GDPR will
impact their business, almost 1/5 (18%) still had no idea of whether
they will be impacted
According to a recent survey less than 10% of businesses believe they
will be ready on time 2
1 Ipswitch – survey performed end 2014 on 316 European businesses
2 http://www.lexpress.fr/actualites/1/societe/donnees-personnelles-la-cnil-exhorte-les-societes-
a-se-preparer_1893219.html?socid=8a3ZW8qL
5. Scope & Penalties
All organisations localized in the EU or outside of the EU but
processing data about EU citizens
It sets out the principles of personal data collection to the
bare minimum
Offenders will be subject to heavy penalties; max of:
4% of the total worldwide annual turnover of the preceding
financial year,
20M euros
6. Personnal data
Very large scope:
Individual identity: first/last names, birth place and date, social
security number, postal and e-mail addresses, telephone number,
registration plate number, photo or video, etc…
Personal information: employment status, salary, etc…
Bank & fiscal details : credit/debit card number, IBAN, tax
position, etc…
Personal life: interests, cookies and other internet traces, etc…
Localization : such as geolocation (GPS or GSM), IP address, etc…
“Sensitive data” (requiring a specific attention) :
Personal life: racial or ethnic origins, living habits, religious,
philosophical, politic, union or sexual preferences, etc…
Medical, genetic or biometric data: fingerprint, DNA, etc…
Legal data : offences, convictions, etc…
Minor related data.
7. Symbolic Articles (1/4)
Right of access by the data subject + data portability:
Right to know if data concerning an individual is being processed
and, if so, to which purpose; right to know the source of the data
and planned retention duration
Right to request from the controller for the data to be rectified or
erased, or to restrict the personal data processing
Right to receive a copy of the personal data in a “structured,
commonly used and machine-readable format”
Right to have the personal data transmitted directly from one
controller to another, where “technically feasible”
8. Right to erasure: data subjects can ask the controller,
provided the request is legitimate, to :
Erase permanently and globally their personal data
Stop spreading them
If applicable, request to third parties to which the data will have
been transmitted to stop using it
The controller will have 30 days to do so
Symbolic Articles (2/4)
9. « Privacy by Design / Ethic by Design » : GDPR must be taken
into account as from products and services conception and
during the whole project life cycle
Deployment of actions such as:
Data minimisation: only adequate et relevant data, limited to the
processing purpose, shall be collected,
Pseudonymising, anonymization or cyphering so that the data
subject cannot be associated to the data itself without additional
information
Processing purpose and retention duration restrictions
Algorithm ethic: processing shall in no way prejudice an
individual’s private life
Symbolic Articles (3/4)
10. Notification of a personal data breach:
Supervisory authorities shall be notified within the next 72H
following the detection of a data breach, stating the data types,
the records and the approximate number of individuals involved
In case the breach may generate a high risk to the individual, the
data subject shall be informed as quickly as possible
This requirement is accompanied by an obligation of means in
terms of security measures that shall be adapted to the risk
Symbolic Articles (4/4)
11. Methodology
The CNIL (French supervisory authority) recommends to
proceed in 6 steps :
12. The GDPR at a glance
Risks & Challenges
Opportunities
13. GDPR implementation inherent risks
(1/5)
European harmonisation of personal data management.
Yet, each State can adapt the scope of some articles such as :
The lawfulness of processing,
The conditions applicable to child’s consent (13 or 16 years old),
The definition of the « specificities » of some special personal data,
The national supervisory authority designation (e.g.: the CNIL in
France), the means it will have and the extent of its authority to
enforce the GDPR,
And even the penalties . . .
Risk of race towards the lowest minimum restrictions to attract
the businesses on the national ground, which would
compromise the harmonisation
14. Implementation/Redesign of business processes :
Processing lawfulness : any personal data processing must be
lawful and conform to the purpose it was gathered for. In
addition, the processor must look at minimizing the collected
data
One can wonder how Big Data, machine learning or deep
learning project fit with this requirement ?
Consent : The processor must keep track of any individual
consent: this implies, not only to modify the processes to collect
and store this information, but also to be able to differentiate the
processing depending on the individuals
Right to be forgotten : Requires automating (1) the process to take
this right into account and (2) the one required to implement it
GDPR implementation inherent risks
(2/5)
15. Implementation/Redesign of business processes :
Right to data portability : Big Challenge
Personal data transfer format harmonisation
Questions the later utilisation of the personal data by the 1st processor
What about « produced » personal data, i.e. data that was not
provided by the individual (bills, traffic, localisation, IOT generated
data …) ?
Privacy by design : requires a new project governance between
IT, legal & operational
Impacts on the organisation :
Redefinition of some positions,
New expertise,
Blueprint review
GDPR implementation inherent risks
(3/5)
16. Legal aspects :
Territorial scope :
The GDPR impacts potentially non-EU businesses : how to enforce the
decisions ?
All the more in the case were several transnational processors are
involved?
Processor responsibility : assessing risks at their fair value so that
they can be handled by appropriate measures will represent a
real challenge
GDPR implementation inherent risks
(4/5)
17. Legal aspects :
New binding corporate rules : BCR must be reviewed according
to the new regulation and be applied internally
Subcontracting : potentially all existing subcontracting
agreements are to be amended
Personal data breach notification :
To the national supervisory authority : the balance between the
penalties that could be applied and the fear of damaging the
company’s image and trust will be delicate to find
To the individuals : again, this is a real Sophie’s choice to decide
between communicating openly or taking the risk of being sanctioned
GDPR implementation inherent risks
(5/5)
18. Governance / Organisation
difficulties
Stakeholders unwillingness (Management, BUs, ISD)
Reluctance to change (new organisation, Privacy by Design
new requirements) : the DPO must keep a close watch
Lack of methodology / expertise
Budgetary :
High level estimates of the personal data mapping might be
possible but final compliance estimate is just impossible
Balance between risks & « gold-plated » hard to find
Deadline : follow a step-by-step approach attending the most
urgent subjects first
19. Special case
Unauthorised transfers or disclosures outside of the EU :
Companies will be crushed between the GDPR and foreign
lawful injunctions unmanageable situation
More political than legal ?
20. The GDPR at a glance
Risks & Challenges
Opportunities
21. An opportunity for the European
citizens
To 57 % of the Europeans, personal data disclosure is a real
problem,
94 % deem it necessary to explicitly provide their consent to
collect personal data (74% in any case, 12% via internet and
8% for sensitive data),
90 % consider it important that the same data protections rules
apply all over EU,
70 % are preoccupied that their personal data can be utilized for
different purposes than what they provided it for
Only 15 % feel that they have a full control over the information
they provide online
* Eurobarometer 2015-431
22. An opportunity for the European
companies (1/4)
Regain control on the data : the digital transformation impact
on the company’s operating incomes is evaluated to +/- 60%
(+40% in case of success to -20% in case of failure) 1.
➢ New regulation + digital maturity are perfect triggers for digital
transformation
➢ Full data mapping will help implement Big Data projects
➢ Deployment of « self-service » tools : Data Preparation, Data
Discovery, Data Governance, Dataviz, Data Science
1 McKinsey 2014 « accelerating the digital transformation of the French
companies »
23. Regain control on IS security :
➢ GDPR enables more transparency and therefore more trust in the
digital world.
Crucial:
➢ 75 % of the businesses ignore that « private life » experience is
perceived as one of the customers’ 3 most important criteria 1
➢ 88 % of the consumers consider the personal data security as THE most
important factor when buying online 1
1 Symantec surveys 2015 & 2016
An opportunity for the European
companies (2/4)
24. Right to data portability opt for a more open architecture :
APIs deployment and utilisation to exchange data with third
parties (e.g. Open Data)
An opportunity for the European
companies (3/4)
25. European Big Data players :
European players are the 1st and most exposed to the regulation, will they
seize the opportunity, implementing the “Privacy by Design”?
Same thing for « subcontractors » (Cloud, Software firms, etc…)
Meanwhile – in the United Stares, the Congress abrogates a law protecting
the private life on the web (29/3) 1:
Internet providers will be able to sell their customer’s data to third parties
without explicit authorisation,
If Donald Trump promulgates the law voted on Tue, service providers such
as Verizon or Comcast will be able to follow their customers’ online
behaviour and utilize the financial and personal data without their consent
to sell specially well targeted advertising spaces. This will allow them to
compete more fairly with Google or Facebook, which are regulated by
different acts and can therefore add more value to the information
collected to gain momentum on the online advertising market that is
estimated to weight $83 billion. 1
1 « Les Echos » (29 March 2017)
An opportunity for the European
companies (4/4)
26. What about tomorrow ?
We’re already talking about « Privacy by Using » …
Unique Digital Identifier
IOT, bots & GDPR
27. Tomorrow : Privacy By Using
http://blog.businessdecision.com/bigdata/2016/11/gdpr-nouvelles-contraintes-opportunites/
28. Tomorrow : Unique Digital Id
When buying online one will be able to provide his/her
UDId
The vendor will only get the data required for the
payment
He/she will then provide the UDId to the courier who
will be able to retrieve the buyer’s address but will
ignore what is in the parcel
29. Tomorrow : IOT
2020 : 26 billion connected objects are expected,
$300 billion !
+ data + governance !
2 major challenges :
Data flood is at odds with GDPR : we stand very far from the
« Privacy by Design »
Trust & security
Many providers : no one is accountable
Each new IOT opens a door to the IS … posing serious security issues
« Don’t speak about too personal or too sensitive things in front of your
TV screen because it’s spying on you ! »
(Samsung about its « smart TV »)
30. IN FINE
A road paved with difficulties:
GDPR inherent (harmonisation ?, organisation, reorganisation,
legal aspects)
Exogenous (unwillingness, lack of methodology/expertise,
budgetary, deadline)
But also offers many opportunities:
To the European citizens,
To the European companies regain control on their data and
on their IS security
Deployment of a more opened architecture
Opportunity for the European Digital players
31. Acknowledgements /
Webography
Thanks to Mr. Antoine Vigneron, teacher at the « CNAM »
REFERENCES READ ON LINE
European Council – The GDPR http://www.consilium.europa.eu/fr/policies/data-
protection-reform/data-protection-regulation/
CNIL (Commission nationale de l'informatique
et des libertés) – French regulator
https://www.cnil.fr/professionnel
CIGREF – Valuing data in large corporates -
Maturity, practices and model
http://www.cigref.fr/wp/wp-
content/uploads/2016/11/CIGREF-Valorisation-des-
donnees-Pratiques-Modele-2016.pdf
gdpr.expert https://www.gdpr-expert.eu/#textesofficiels
GlobalSecurityMag.fr - GDPR : 5 major
changes for companies
http://www.globalsecuritymag.fr/GDPR-5-
changements-majeurs-pour,20170227,69261.html
NOVENCIA - 10 questions to understand the
GDPR
https://www.novencia.com/gdpr-10-questions/
BusinessDecision.com – Big Data & Digital Blog http://blog.businessdecision.com/bigdata/2016/11/gdpr-
nouvelles-contraintes-opportunites/
CIL consulting http://www.protection-des-donnees.fr/gdpr-pourrait-bien-
booster-croissance-acteurs-europeens-big-data/