Aprovecha las ventajas del RGPD

Jerome Buvat

Global Head of Research, Capgemini

Jerome is the Global Head of Research at Capgemini’s Digital Transformation Institute. He is experienced in digital transformation and strategy, and helps clients assess the impact of digital technologies on their business.

While the majority of individuals are willing to reward organizations that proactively implement the GDPR, most organizations are not ready to see beyond compliance and seize this latent opportunity. The dangers of failing to comply with the guidelines are big, but the benefits of converting the GDPR from mandate to opportunity are potentially bigger.

Europe’s General Data Protection Regulations came into effect on May 25. Organizations across the world are scrambling to be ready fearing stricter regulatory action owing to non-compliance.

We surveyed 6,000 individuals and 1,000 industry executives across eight countries to gather their views on the subject.

Here are the key findings:

• The GDPR is an opportunity waiting to be tapped – individuals are more willing to engage with, and be more loyal to, organizations that protect data, and going above and beyond the GDPR brings even greater reward.
• However, most organizations are not ready to seize this opportunity – significant work remains to be done to increase not only compliance levels but also compliance maturity and to bridge the gap between the preparedness of organizations and the expectation of individuals.
• An immature approach will have significant consequences because consumers are prepared to take action if they are unhappy with organizations’ GDPR compliance performance.
• To convert the GDPR from mandate to opportunity, organizations must take a series of steps, ranging from educating customers and citizens and winning their trust, to building a culture of respect for personal data within the organization.

To read the complete findings, download the report from here: Seizing the GDPR advantage 

In an interview with CNBC, Willem de Paepe, Capgemini’s Global Solution Lead for GDPR spoke  about how organizations must view the GDPR regulations as an opportunity to streamline business and generate new streams of revenue.

Dr. Fabian Rusch

Chemicals & Life Sciences Consultant, Capgemini

Because the GDPR specifically stipulates genetic data or information about the physiology, physical, or mental health of a person must not be processed, it carries particular ramifications for the Life Sciences industries. Relying on exceptions may prove insufficient, so companies must explore alternative solutions to mitigate risk.

May 25, 2018 is a day which many European citizens might have mixed feelings towards. While privacy groups will be eagerly waiting for the day to arrive, CXOs of many organizations will be asking themselves: “are we prepared well enough?”. And this seems to be the central question of the day as the new EU-General Data Protection Regulations (GDPR) come into force.

The regulations deal with the processing of personal data of individuals, and acknowledging the risks an increasingly digitalized society is faced with. GDPR is not the first legal agreement to strengthen the rights of individuals towards personal data processing. European data protection legislations, both overarching and with various dedicated regional regulations, have been a part of business for a long time.

The Life Sciences industry is not immune to the significance and impact of these regulations. Guaranteeing patient safety requires huge volumes of highly sensitive healthcare data to be collected and analysed for purposes such as research, clinical trials, among others. Ensuring compliance with data safety rules and regulations thus becomes inevitable.

 Tightening the existing rules or introducing new ones?

The number of research organizations, pharmaceutical companies, laboratories, sponsors, and statisticians which are affected by data privacy regulations increases with every handling of personal data that belongs to a citizen of the European Union. Consequently, each user of this data must comply with the new GDPR regulations. Internationally operating companies will be required to update contracts with their subsidiaries and third parties, especially those located outside the EU. The way to achieve this will be through standard contract clauses or binding corporate rules.

Under the new regulations, certain categories of personal data which are critical for the Life Sciences industry such as genetic data or containing information about the physiology, physical, or mental health of a person are prohibited from being processed.

Exceptions the Life Sciences industry could utilise

In general, one approach the Life Sciences industry could utilise, is consent by the affected person. The procedure already exists for this in the Life Sciences business, but it must be adjusted for distinct cases. For example, more detailed information about the specific use of the data and the rights of the agreeing person must be provided. Data processing is limited to the use explicitly consented to. A deviation from the agreement for different reasons is disallowed and not compliant with the GDPR. Furthermore, every usage of a data set must be documented in order to be able to disclose use of data to the person affected or to supervisory authorities. This requirement may turn out to be very cost-intensive. Even explicit deletion concerns, based on a legitimate interest of a natural person, must be realised. That means, Life Sciences companies should verify and, if necessary, adjust their processes from getting consent to complete deletion of the data.

Another exception the Life Sciences industry may utilise is data processing by means of public interest reasons. One could argue the development of new medicine or drugs and their obligatory clinical trials are necessary to improve human health. Even this argument must be carefully weighed because financial profit is attached to this data use.

Arguably relying on these exceptions would not be enough to avoid potential financial fines by the competent authorities.

Anonymisation and pseudonymisation as response to GDPR

Even the anonymisation and pseudonymisation of personal data for clinical trials, practiced by many different companies, could not be safe under certain circumstances. Pseudonymisation under such a regulation could be legally challenged. The company has the burden of proof that the pseudonymised data are no longer recoverable, the encryption/decryption key for decoding is stored elsewhere, and security measures are technically suitable and adequate. The range for interpretation of “technically suitable” is large. Fact is, that the more data the company handles, the higher security effort must be provided. Responsible people will carefully verify their existing processes and technical security measures to decide, in close cooperation with their legal department and data protection officer (DPO), whether they are well prepared or additional measures must be implemented.

Solutions to overcome compliance risks

For many of the mentioned aspects technical solutions to face such problems exist. Therefore, the first step should be a comprehensive risk analysis which includes all business processes and a gap analysis which reveals potential lack of compliance.

One approach could be a “Privacy by design and by default” solution, which covers and combines pseudonymisation and data minimisation. Besides the technical adjustments, a cultural change if necessary, from top-down must be considered and compliance rules firmly established.

Although many companies already have a data protection officer, it is now necessary for each company of a certain size to officially nominate a dedicated person for this role. His or her range of duty expands due to new reporting obligations, e.g. an immediate report in case of a personal data breach. All reporting obligations and requests by the supervisory authorities are managed by the company DPO, who acts as autonomous and single point of contact between the two parties.

Besides these aspects and obligations which companies must fulfil within the GDPR, chances and benefits should be considered too. A better knowledge of the data flows and business processes could be an advantage as well as the avoidance of monetary penalties or reputational damage.

The Life Sciences industry and each stakeholder within this field needs to balance whether compliance to GDPR is easy to handle or could be a potential risk for its own business, by challenging every aspect related to this topic. To answer that question from the Life Sciences industry perspective is not as easy as one might believe.

Geetha Jayaraman

Operations Manager, Capgemini

Geetha is an expert in Governance, Risk, and Compliance. As a cybersecurity expert, she has guided many organizations in balancing risks with adoption of technologies.

Both the GDPR and the PSD2 (Payment Services Directive 2) aim to empower the customer, but the PSD2 can only be successful within the context of the GDPR. That said, if organizations take an integrated approach toward these two regulations, data protection won’t be sacrificed while taking advantage of the opportunities that PSD2 brings.

From May 2018, organizations that provide payment services in the European Union will be subject to both PSD2 and GDPR. Is your organization ready with the right approach to complying with these two regulations?

PSD2 and GDPR—an introduction

Payment Services Directive 2 (PSD2) is a fundamental piece of payments-related legislation in Europe that entered into force in January 2016, with all European Union (EU) member states required to implement the directive as national legislation by January 2018.

Briefly, PSD2 aims to bring an integrated and efficient European payments market, promote competition through a regulatory framework and improve consumer protection. It requires payment service providers (PSP) such as credit institutions, banks and post offices to make significant changes to their existing operations, paving the way for new fintechs to offer services in one or both of the following two modes:

• Account Information Service Provider (AISP)
• Payment Instruction Service Provider (PISP)

PSPs are obliged to provide their customer information in response to customer requests to these “third-party providers” (TPP).

Read the complete post here: https://www.capgemini.com/2018/03/adopting-the-right-approach-to-psd2-and-gdpr-compliance/

Ramón Pérez Blanco

VP – Cloud Infrastructure Services, Capgemini

Ramón is an expert in Data Center Services, Hybrid Cloud, and Managed Services and manages the sale and implementation of IT transformational programmes in a multinational environment.

The digital economy wants you to be transparent and proactive in terms of data privacy – so do your customers. Now is the time to take your data privacy strategy from defensive to offensive.

Customers are aware that the scope of privacy is growing. They want transparency. The sensitive information limit goes beyond religious beliefs, health, or ethnic data. The new rules will apply in all countries and jurisdictions.

Many organizations are scrambling to align their processes to the new data privacy and protection requirements stipulated by the EU’s General Data Protection Regulations (GDPR). Let me stop the clock and pull you away from your project plan for a few minutes.

We are not talking about fettering your organization with red tape. I mean, we are not talking about pure compliance, but rather about taking you from the defensive to the offensive. The digital economy is asking providers to be transparent and proactive.

Customers are aware that the scope of privacy is growing. They want transparency. The sensitive information limit goes beyond religious beliefs, health, or ethnic data. The new rules will apply in all countries and jurisdictions. Millennials constitute a significant chunk of our workforce and our clients and they don’t want to work with or buy from companies that fail to manage their data correctly.

Companies must commit to deploying all the preventive processes and technologies necessary to reduce the risk of data leaks and to protect end users’ rights, such as the right to be forgotten. Moreover, they must create a disaster recovery plan with the proper protocols for recovering and validating data.

I hope that these thoughts will help you get to back to basics and think about the actual reasons to face the GDPR in a real and effective way.

Simply checking off the box is not going to work any longer.

P. Gopichand

Operations Manager – Business Services, Capgemini

Gopichand Patibandla, is an experienced GRC and Audit Assurance professional. He has successfully managed many ITGC/SOX/SAS70/SSAE16/ISAE3402 projects for multiple clients. Prior to joining Capgemini, Gopichand held a variety of roles, including implementation of large IT projects and management of various IT processes in a large financial organization. He has extensive experience in performing gap analysis, compliance assessments in the areas of IT risk, IT governance, privacy, and security.

Understanding the concerns of your data subjects is not just good business practice – it is a crucial part of the data protection impact assessment (DPIA). It is also a key part of complying with the GDPR where high-risk data processing is concerned and an important tool for building and demonstrating compliance.

Effective GDPR compliance requires you to consult your data subjects or their representatives while conducting a data protection impact assessment.

According to article 35(9) of General Data Protection Regulation (GDPR), while conducting a data protection impact assessment (DPIA), an organization should seek the views of data subjects or their representatives on the intended processing without prejudice to the protection of commercial or public interests or the security of processing operations.

What is a DPIA and what does it do?

A DPIA is a process for assessing the impact on privacy of a project, policy, program, service, product, or other initiative, and for taking remedial actions as necessary to avoid or minimize any negative impact. It is a key part of complying with the GDPR where high-risk data processing is involved.

DPIAs help organizations identify, assess, and mitigate or minimize privacy risks with data processing activities. DPIAs are important tools for accountability, as they help controllers comply with and demonstrate that appropriate measures have been taken to ensure compliance with GDPR requirements. In other words, a DPIA is a process for building and demonstrating compliance.

Read the complete blog here: https://www.capgemini.com/2018/04/dpia-under-gdpr-consult-your-data-subjects/