KEY FIGURES
With the General Data Protection Regulation, the company becomes legally responsible for the processing of personal data.
At the same time, the widespread use of networks, the advent of cloud technologies and the growing need for mobility are outdating the perimeter security model.
Faced with this dual challenge, data security will no longer depend on where it is stored, but on how it is stored.
What is the RGPD (or GDPR)?
The General Data Protection Regulation (GDPR) is a regulation adopted by the European Parliament. It came into force on May 24, 2016 and is applicable from May 25, 2018.
It is a tool of European sovereignty with a triple purpose:
- Strengthening people's rights
- Making data processors accountable
- Enhancing the credibility of regulation and strengthening cooperation between national authorities
Privacy and data security must now be at the heart of software design for information systems.
RGPD at the heart of information systems
From now on, the personal data of European Union citizens will have to be confidential and secure, and this means transforming the information systems of all entities, organizations and companies, whether European or not, that process the data of Europeans.
Information systems must be redesigned in line with the general principle of data protection from the outset, i.e. :
- Privacy by design
- Security by default
- Sensitive and personal data
Sensitive data such as racial, ethnic, religious, philosophical, political, trade-union, genetic, biometric, medical, privacy or sexual orientation data are, with a few exceptions (such as medical research), subject to the ban.
Personal data , allowing direct or indirect identification of individuals, is subject to the RGPD.
New rights for European citizens
After the vote of the Patriot Act "Following the passage of the Patriot Act on September 11, 2001, the personal data of European Union citizens was undermined by the Safe Harbor agreement .
This is a set of data protection principles, which allows American companies to transfer personal data of European citizens to the United States. It was invalidated on October 6, 2015, by the Court of Justice of the European Union.
The RGPD will now give all EU citizens the following rights:
- Right to access and delete personal data
- Right of objection, rectification and deletion
- Right to portability of personal data
- Clear and explicit consent
New duties for companies
Conversely, the RGPD places a set of duties on companies responsible for personal data:
- As data controller, they become Data Manager according to the principle of " Accountability ".
- They are required to keep a register of processing operations
- They must appoint a pilot: the Data Protection Officer (DPO) or Responsable des Données Personnelles (RDP).
- They must take stock of data and document practices
- They are obliged to report data leaks to the authorities within 72 hours.
Penalties for non-compliance range up to 4% of worldwide annual sales or 20 million euros.
The company's obligation is not one of results, but of reinforced means, i.e. with regard to the state of the art.
Accountability principle
The company becomes responsible for processing direct or indirect personal data concerning a natural person, whether the person is identified or identifiable, and whether or not the processing is automated.
The data controller is considered to be the responsible economic player, and as such is responsible for taking measures to guarantee the protection of personal data:
- Determining goals
- Documenting treatments
- Gathering explicit consent
- Give access to data
- Enable their deletion or porting
RGPD imposes a break in the way data is stored
For companies, the advent of the General Data Protection Regulation represents a strategic breakthrough in both legal and technical terms.
Since the invention of computing, data security has always been built around physical security (the machines) and perimeter security (the network).
In the image of a medieval fortified castle, it was the thickness of the walls that ensured the level of defense. This was true until 2010.
However, the widespread use of networks, the advent of cloud technologies and the growing need for mobility are putting this model out of date.
After the Middle Ages of computing, the Internet and the Cloud are the modern printing presses that bring us the Renaissance: walls are pierced with windows to facilitate exchanges with the world.
Data security will no longer depend on where it is stored, but on how it is stored.
