Data Privacy & Transparency: Data Protection in Business
This post was written by Ambre Ulrich, Madeleine de Place and Matthieu Klotz
Referred to as “the gold of the 21st century,” data has become a valuable asset for companies – as long as it is correctly used, managed, and controlled. To stay competitive, organizations need to push ahead with their digital transformation – a way of doing business that requires the development of new IT tools, increasing data volumes. However, collecting data for subsequent use, and keeping it secure, can be difficult.
Companies face stringent security and transparency requirements with a strict legal framework imposed by the GDPR. However, these statutory obligations are not the only restrictions imposed on companies. For example, for client confidence, which is essential their image and business relationships, companies must inform their customers how they intend to use their data and reassure them that it will be kept safe.
This creates two major problems for companies:
- Data privacy: Data protection means ensuring that a user’s data is their own and that no one else has access to it (except as expressly provided for during the processing).
- Transparency: Transparency means giving data subjects clear and easily accessible information about the nature of the data collected, how the company intends to use it, the processes put in place, and how they can exercise their rights.
But how can you guarantee confidentiality of the data collected? How do you ensure security and compliance? How do you manage data processing, storage, modification, and deletion? This month, we’re looking at data privacy and transparency. Our data experts are on hand to share their expertise with you and give you some technical solutions to your data protection and transparency issues.
Why Does Your Company Need to Make Its Data Secure?
With the emergence of new technologies, companies are faced with growing volumes of data, whether internal company data or data collected from clients. Once its has been processed and analyzed. data becomes a valuable tool for improving efficiency, performance and competitiveness and is regarded as a vital component of a company’s strategy. This increase in the amount of data collected by companies has quickly raised the issue of how to keep it secure. What could happen if your data fell into the wrong hands? What consequences would a data leak cause? How do you protect your data? The need to establish a legal framework to address these issues soon became apparent.
Increased Data Volumes Collected by Companies
Companies collect huge volumes of data. Since the increase in hybrid working, it is estimated that the volume of data generated by companies has increased tenfold in five years. A trend that looks set to continue. Not all of this data is equally sensitive. It does not necessarily require the same level of security. Some so-called “sensitive” data requires particular care and we’ll come back to that later in this post.
First, let’s look at personal data: what constitutes personal data? Any information relating to an identified or identifiable natural person is considered personal data. The identification can be direct (e.g., first and last name of the individual) or indirect (e.g., social security number, phone number, etc.). Identification can be through a single piece of data (e.g., last name) or by combining multiple data elements (e.g., male born on a particular date, living at a specific address, and a member of a certain sports club).
For a company, human data is the personal data relating to individuals concerning their activities.
Personal data is defined as “any information relating to an identified or identifiable natural person.” In other words, any data that enables an individual’s (direct or indirect) identification is considered personal data and is subject to special protection.
Companies have cause to collect vast quantities of personal data daily, to manage their teams (employee personal data) and as part of their business relationships (personal data of clients, suppliers, etc.).
Personal data takes many forms:
- Last name
- First name
- Email address
- Phone number
- Social security number
- IP address
- ID number (e.g., customer code)
- Date of birth
Alongside human data, companies process large volumes of data relating to their business activities. This can include financial data (profit, loss, budgets, sales forecasts, accrued expenditure, invoices, etc.) and business activity data (processes, statistics, products, etc.).
Disclosure of this information could prove harmful to the company, particularly if information about their strategy, targets, or know-how gets out. That is why making sure this data is secure is essential.
Special Case of Sensitive Data
While some data has no particular “value,” other data is considered “sensitive” and warrants extra vigilance during processing and security.
For this reason, collecting an individual’s health-related data or data about their political opinions or religious beliefs is usually not permitted in companies. However, it may sometimes be necessary to collect such sensitive data during professional activities. HR departments, for example, have to manage employee health data (absences from work, official recognition of a person’s status as a worker with a disability, etc.).
Therefore, tools that guarantee the security of this data during storage and processing are essential.
What is Sensitive Data?
The following personal data is considered sensitive:
- alleged racial or ethnic origin
- political opinions
- philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health-related data
- data concerning a person’s sex life or sexual orientation
GDPR: A Legal Framework for Business Data
What fundamental rights does a data subject have regarding their personal data? Every data subject has the right:
- To be informed about the use of their data
- To access their personal data
- To rectify their personal data (e.g., change of address, name change, etc.)
- To object to the processing of their personal data
- To have their personal data erased (also known as the “right to be forgotten”)
- To restrict the processing of their personal data
- To data portability
The need to regulate the management of personal data is not new. French lawmakers imposed rules as far back as 1978 in the so-called “Computers and Civil Liberties Act” dated January 6, 1978. With some exceptions, this law prohibited companies from collecting sensitive personal data and obliged them to report any file containing personal data to CNIL, the French Data Protection Agency.
Following an initial European data protection directive in 1995, the entry into force of the General Data Protection Regulation on May 25, 2018, significantly strengthened the legislation. GDPR applies to all Member States of the European Union and, among other things, requires companies operating in France to implement data protection measures.
The Requirements for Data Collection and Processing in Companies
The GDPR requirements oblige companies to ensure transparency for users and personal data security. These measures must cover all stages of the data’s life cycle, from collection to destruction:
In particular, the support and sales departments in a company face issues concerning personal data. Everyone needs to take the following actions to ensure compliance with the GDPR:
- Keep a record of data processing activities: What is the purpose of each activity? What data was collected? How long will it be kept? Who will have access to that data?
- Sort through any data: What data already exists? Does your company need the data collected? What is the purpose of processing the data collected?
- Respect the rights of data subjects: How are data subjects informed about your use of their personal data? Can they exercise their rights (to object, to erasure, to rectification, etc.) easily?
- Make data secure: Is your company using hardening IT tools? Do you encrypt the data? Do you use strong passwords?
There are many compliance measures. To help you get started, here are some suggestions based on your department.
Marketing/Communication Department: Which Data to Protect?
As the face of your business, marketing and communication departments are on the front line when it comes to collecting and processing personal data. Their role is twofold:
- To ensure the company’s transparency regarding its data processing activities by publishing legal notices on its various public platforms (websites, landing pages, event registration pages, etc.)
- To ensure the security of personal data by implementing tools and processes
The sources for collecting and processing personal data in marketing and communication departments vary:
- Contact forms
- Downloading content (white papers, guides, infographics, etc.)
- Event registrations (webinars, trade fairs, panel discussions, workshops, evening events, etc.)
- Newsletter and publication subscriptions
Our Tips for Making Your Data Secure:
- Carry out an audit of your existing data
- Stick to useful data and avoid collecting data you will not process
- Implement processes (for database processing in particular)
- Enlist the help of an expert (DPO, attorney, etc.) to draft legal notices
- Make your teams aware of the issues surrounding GDPR
- Review contact form fields (think about titles/restrict comment fields, etc.)
- Use automated and secure tools
- Set up a cookie management tool, such as Axeptio
HR Department: How to Protect Sensitive Data
Unlike the marketing and communication departments, which mainly manage data from outside the company, HR departments deal with the personal data (including sensitive personal data) of job applicants (CVs) and employees. This may include:
- Home address
- Marital status
- Personal phone number
- Social security number
- Tax-related data
- Absences from work
The applicable legislation provides for specific retention periods for each data type (e.g., five years after an employee’s departure for data from the Official Employee Register or two years for an applicant’s personal data).
You need automated tools to process this data securely and to manage erasure of the data and the right to be forgotten easily.
Our Tips for Making Your HR Data Secure:
- Set up HR software (or an HR IS) with access rights restricted by user
- Implement automated data deletion processes
- Make users aware of the issues surrounding GDPR
Sales Department: How to Protect Customer Data
As the direct point of contact for end customers (whether B2B or B2C), the sales department also manages large volumes of personal data. The consequences of a leak of this data (due to human error or a malicious attack) would be disastrous: loss of customer confidence, bad image, criminal or financial sanctions, etc., so it is vital you make sure any management of your customer data is especially secure.
Subcontractors are also increasingly asked to provide evidence of their compliance with the legal and regulatory requirements for transparency and data security in invitation to tender bids and sales proposals. Again, implementing tools and processes guarantees you will meet these now common customer requirements.
Our Tips for Making Your Customer Data Secure:
- Implement secure and automated processes and tools
- Conduct regular audits
- Make your team aware of best practices
- Make sure the process for data subjects to exercise their rights is effective and efficient
Finance Department: How to Secure Your Strategic Data
In addition to their administrative role, finance and accounting departments have become a cornerstone of a company’s strategy. They are increasingly equipped with powerful technology tools and can now analyze large volumes of business-critical data.
Data such as sales revenue, budget forecasts, expenditure, income, target figures, etc., is important to your company and any leak could be particularly disastrous. So, you need to make sure this data is kept secure but can still be used and viewed as a decision-making aid and to help analyze the company’s results.
Our Tips for Making Your Strategic Data Secure:
- Replace Excel files, which often have errors, with automated tools
- Use formats for visualizing the data (charts, graphs, etc.)
- Choose shared tools with individual access rights
Technical Responses to Ensure Transparency and Data Security
To help companies implement transparent and secure data management, Cellenza and Databricks experts share their technical expertise with you in a new series of posts.
Discover specific solutions to your problems, use cases, and technical guides for implementing data management that complies with the regulatory requirements.
For more information about technical solution around data privacy, please contact us!
This post was written by Ambre Ulrich, Madeleine de Place and Matthieu Klotz