While the Minister of Justice Sonia LeBel intended to dust off Quebec’s privacy laws with a new bill, Cyrille Aubergier, CISO at SitaOnAir, demystifies the challenges of the General Data Protection Regulation (GDPR). Here are the 3 points to remember from his interview for INTRASEC, In Fidem’s cybersecurity channel.
Understanding GDPR
During his interview, Cyrille Aubergier wanted to explain the purpose of the european regulation.
First applied two years ago, the GDPR aims above all to strengthen the rights of individuals by making public or private organizations responsible for the protection of personal data.
Indeed, collecting, processing and storing personal information implies taking the necessary measures to protect it. These measures must guarantee that privacy is insured.
What are the major changes brought up by the GDPR?
While some organizations take a lot of time to reveal that they have been victims of a security breach, such as Yahoo for example, which took several years before admitting the breach of 3 billion email addresses, the european regulation require the companies to notify the authorities and the people concerned of any cybersecurity incident affecting personal information, within a maximum of 72 hours.
In addition, heavy penalties are imposed in the event of a breach of obligations under the GDPR. It is the case of Google which was imposed in France by the CNIL (National Commission of the Computing and Liberties) to pay a 50 million euro fine, that is to say more than 76 million dollars, for its lack of transparency on data processing in particular.
The european regulation also imposes penalties in the event of an attack if the cybersecurity measures in place have not been deemed sufficient. Uber, who was sentenced in 2018 by the CNIL to pay a fine of 400,000 euros, or more than 600,000 dollars, could have suffered much more severe sanctions if the GDPR had been in force at the time.
This said, the GDPR authorizes sanctions of up to 4% of a company’s annual global turnover.
This is why Cyrille Aubergier insists on the importance of demonstrating the efforts made to protect data: implementation of monitoring processes, cybersecurity incident management, notifications, backup,… both because this is necessary and also to reduce financial penalties.
As a reminder, canadian authorities will seek to understand what happened, what was stolen and the risks to the end user. The regulations (Law on the Protection of Personal Information and Electronic Documents – PIPEDA) do not yet provide for sanctions as heavy as the GDPR but the movement is underway with the bill tabled by the Minister of Justice Sonia Lebel.
Another significant innovation: the responsibility of companies is not limited to the data that passes through the organization. The GDPR has indeed placed greater importance on the role played by suppliers by directly supervising their activities. Thus the GDPR has forced organizations to set up security standards and to choose subcontractors who themselves put in place technical and organizational measures that meet the requirements of the regulations.
For this, companies must assess their suppliers, and in particular the supply chain, to determine their compliance with regard to GDPR.
GDPR compliance: between illusion and reality
Taking concrete action to comply with the regulations is no small matter.
Cyrille Aubergier explains that it is almost impossible for a company to fully apply the GDPR requirements. Why? Even if RGPD has become a standard, even a model for many countries and states suchy as Russia and California, organizations are faced with regulatory contradictions in terms of data retention or deletion for example, as soon as when these are processed, stored or when data comes from an entity outside of the European Union.
In the case of SitaOnAir, the company relied heavily on its legal department to find the right compromise that could satisfy the majority of the countries with which it does business. But his first recommendation remains to comply with the most demanding regulations.
To conclude, Cyrille Aubergier wishes to recall that even if the text has considerably strengthened the obligations of managers and suppliers, the legislation in this area is not meaningless. From the moment a company collects, processes and stores data, in particular personal information, it must protect it. That’s why, it recommends collecting only the information you really need to conduct your operations. And as soon as a piece of data is no longer useful to you, erase it!
Find his full interview in French on:
Do you need support to set up technical and organizational measures in your business? Do you want to assess your risks and test your IT strategies? Contact us now?
