Agreed on 14thApril 2018, the General Data Protection Regulation (GDPR) entered into force on 25thMay 2018.
Outside of the strictly personal field and in compliance with article 9 of the civil code, if you have personal data (mail, phone number, identity information…) of a European Union resident in an information system (numerical or paper), you are affected by this new regulation.
Developed to achieve 3 main objectives: strengthen the rights of persons, empower actors dealing with data, provide credibility to regulation. This rule affects every level of your company, from your employees to your customers, your suppliers and your competitors.
The challenges, related to controls and litigation, following this regulation, require a real questioning from all the executives.
GDPR is not a technical recommendation. Even if some adaptations can follow it, it is more a juridical and organizational framework which needs a continuous work combining humane measures (like user’s awareness) combined with organisational measures (as to provide collecting procedures and data processing, breaches notifications in information systems), and operational measures (like designation of an officer or the supervision of those information systems).
The Swiss Cyber Institute and the International Management School Geneva offers a programme of five workshops to build your compliance:
- The operator must take all measures to ensure compliance with the GDPR;
- The operator must be able to demonstrate that he has fulfilled his obligations in terms of data protection, which will be required in particular in case of control or litigation.
Privacy by design
- Personal data protection must be considered from the conception of the product or service;
- Personal data protection must be secured in information systems, databases or any applications.
Security by default
- The operator must reinforce the role of security in information systems;
- The operator must secure his information system at its different levels, from the physical to the logical;
- The operator must be able to detect if the integrity of his information system has been compromised and be able to remediate it.
Data Protection Officer
- The operator must associate an Officer (internal or external) for the various questions and issues on personal data protection;
- The Officer must ensure the operator’s compliance with the GDPR and be the point of contact with the supervisory authorities.
- The operator must carry out an impact study on the personal data protection before the implementation of new data process to prevent risks of individual rights and freedom violation;
- The operator must also provide measures to reduce the impact of potential damage to the personal data protection.