P R I V A C Y I N T H E D I G I TA L W O R L D :B E YO N D CO M P L I A N C E , TO WA R D S T R U S T

2

www.wavestone.com

Wavestone is a new consulting brand, formed by the merger of Solucom and Kurt Salmon’s European business (excluding Consumer Goods and Retail Consulting activities outside of France) in 2016.

Wavestone’s vision is to enlighten and guide our clients in their strategic, value-adding decision-making by capitalising on our functional, industry and technological expertise. Our firm combines the expertise of 2,500 people across 4 continents. Wavestone is also the first truly independent consulting firm in France.

3

EDITORIAL

Digital data is now a key tool for all organisations. The emergence of new technologies makes it possible to process increasing amounts of data and extract more of the associated benefits.

However, such capacities also spark fear among citizens and regulators, which must be taken into account in order to ensure the success of digital transformation.

In this context, the principle of privacy is evolving, as is the role it can play in cur-rent digital transformation.

At Wavestone, we believe it is crucial that both private and public organisations know how to use and handle personal data in order to become digital champions, whilst maintaining a relationship of trust with their employees and customers. For us, transparency is pivotal for maintaining this relationship of trust.

In this publication, we have sought to shed light on the various facets of this complex subject. In so doing, each organisation may determine its own position in the face of privacy challenges in the digital world.

Enjoy!FRÉDÉRIC GOUX

Partner

“Data is at the heart of

the digital revolution.

Trust and transparency

will be key factors for

enabling its success”

4

Gérôme BilloisGérôme is a Senior Manager in Cybersecurity and Digital Trust. He leads large-scale digital transformation and compliance programmes for major organisations. He is a board member of the CLUSIF, co-creator of the Club27001 and member of the committee of regulation for information protection and information technologies. He is an engineering graduate from INSA Lyon.gerome.billois@wavestone.com @gbillois

Alessandro ZamboniAlessandro is a Senior Manager and leads evaluations and impact analyses of European public policies. Alessandro is a graduate of Politecnico di Milano and Executive Master post-graduate at the Solvay Business School. He began his career at General Electrics in Hungary and the Netherlands.alessandro.zamboni@wavestone.com

Raphaël BrunRaphaël is a Manager in Cybersecurity and Digital Trust and has been working in data protection for many years. He leads projects in personal data protec-tion, regulatory compliance and business or cybersecurity crisis management. ISO 27001 Lead Auditor certified, he is a grad-uate of the University of Technology of Troyes (UTT).raphael.brun@wavestone.com

Youri Dufau-SansotYouri is a Masters graduate in International Security from Sciences Po Paris and is a Cybersecurity and Digital Trust consultant at Wavestone. He has worked on projects in personal data protection compliance with the new European regulation (GDPR), as well as business and cybersecurity crisis management exercises.youri.dufau-sansot@wavestone.com

AUTHORS

We would like express our sincere gratitude to Tine A. Larsen and Milad Doueihi for having provided us with two interviews for this publication. We would also like to thank Armand de Vallois, Jean-Christophe Procot,

Hervé Commerly, Pauline Rouaud and Julien Douillard for their contributions to this document.

5

SUMMARY

R e s p e c t f o r p r i v a c y i n d i g i t a l t r a n s f o r m a t i o n : k e y c h a l l e n g e s a n d p r i n c i p l e s3 0

W h a t d o e s p r i v a c y m e a n i n a d i g i t a l w o r l d ?A n e x c l u s i ve s u r ve y c o n d u c t e d b y W a ve s t o n e0 8

P r e f a c e0 6

T h e f u t u r e o f d i g i t a l p r i v a c y4 4

W h i c h l e g a l f r a m e w o r k s s h o u l d b e i m p l e m e n t e d o n a n i n t e r n a t i o n a l s c a l e?2 2

6

Privacy in the digital world: going beyond

compliance and making a success of your

digital transformation

7

1

4

2

3

PREFACE

In this publication, we seek to provide readers with an understanding of the concept of privacy in the digital age, both from a general public and regulatory perspective.

We hope that our insights will enable large organisations to confront the challenge of privacy in a digital world by aligning their programmes with the increasing expecta-tions of states and citizens.

IN A DIGITAL WORLD, WHAT LEVEL OF PRIVACY?

We used a survey to ask this question to citizens,

whether European, American or Chinese.

Overview of the results of this survey, followed

by the first part of the interview of Milad Doueihi,

philosopher.

WHAT ARE THE NEXT CHALLENGES ?

Personal data will be at the heart of the

next digital evolutions, especially through

algorithms.

Such evolutions must be anticipated now, and

are at the core of our consideration enriched

by the second part of the interview of Milad

Doueihi, philosopher.

WHICH LEGAL FRAMEWORK AT AN INTERNATIONAL LEVEL?

Protection of personal data is now regulated

throughout the world and is increasing

exponentially.

Overview of the main approaches, supplemented

by an interview with Tine A. Larsen, President of the

Luxembourg regulator.

RESPECTING PRIVACY IN DIGITAL TRANSFORMATION: KEY CHALLENGES

AND PRINCIPLES

Based on the analysis of concrete projects in

different business areas, we provide the keys to

implement a strategy of trust and transparency with

end clients and consumers.

The breakdown is illustrated by the testimonies

of Armand de Vallois, Jean-Christophe Procot and

Hervé Commerly, experts from Wavestone.

8

I n t h e d i g i t a l wo r l d , c i t i z e n s , i r re s p e c t i ve o f t h e i r c o u n t r y o f o r i g i n , a re i n c re a s i n g l y

c o n c e r n e d a b o u t r e s p e c t f o r t h e i r p r i v a c y. T h e y t r u s t f e w o r g a n i s a t i o n s ; n a m e l y

t r a d i t i o n a l p l a y e r s s u c h a s b a n k s . T h e i r m o s t i m p o r t a n t p r i o r i t y ? H a v i n g c o n t r o l

ove r t h e d a t a t h e y e n t r u s t . T h e i r b i g g e s t f e a r ? N e w t e c h n o l o g i e s l e a d i n g t o a wo r l d

o f i n c re a s e d s u r ve i l l a n c e .

WHAT DOES PRIVACY MEAN IN A DIGITAL WORLD?

AN EXCLUSIVE SURVEY CONDUCTED BY WAVESTONE

9

A N I N T E R N AT I O N A L S U R V E Y A B O U T H O W C I T I Z E N S P E R C E I V E P R I VA C Y

The results presented in this paper form a synthesis of the survey as a whole. Detailed results and analysis are available on: www.wavestone.com/insights

The results of this survey should not be viewed as scientific evidence. Rather, it is representative of global and national trends in the perception of privacy by individuals. The survey considers the responses of 1,587 participants, between July and August 2016, across 6 countries.

Among the majority of respondents were younger generations, often perceived as “digital” citizens and more intrigued by the subject of privacy in a digital world.

A CO N S I S T E N T V I S I O N O N A N I N T E R N AT I O N A L S C A L E

The countries selected for the survey, namely France, Italy, Germany, China, the United States and the United Kingdom, were selected on the basis of their socio-economic environments and the diversity of regulatory frameworks con-cerning privacy protection. These ele-ments can influence the perception and opinion of citizens regarding the protec-tion of personal data.

However, despite initial contextual dif-ferences, we observed through collected responses that the theme of privacy is perceived in a relatively similar way across the surveyed countries.

P a n e l o v e r v i e w

1587questionnaires

Collectedwithin 4 weeks

In6 countries

Q u e s i g n i f i e a u j o u r d ’ h u i l a v i e p r i v é e d a n s l e n u m é r i q u e ?

G E N D E R A G E

– 3 1

+ 3 1

N A T I O N A L I T Y

6 1 % 3 9 %

4 7 % 5 3 %

1 8 % 1 9 % 1 6 %

1 6 % 1 6 % 1 5 %

10

F R O M F R E E D O M TO CO N T R O L : E V O L U T I O N O F T H E M E A N I N G O F “ P R I VA C Y ”

Privacy is traditionally seen as the possi-bility for an individual to retain some form of anonymity in his or her activities and to have the ability to isolate oneself in order to best protect his or her interests. It is intimately linked to the notion of freedom.

However, analysis of the survey results shows that this notion tends to disappear in favour of the control of information.

We have proposed to our respondents to select one or more definitions that relate to either notion.

Indeed, there are differences and partic-ularities: notably in how German respon-dents place particular importance ahead of their counterparts on the definition of privacy relating to personal freedom. Responses from the United States demon-strate less confidence in public institutions.

Generally, however, there is greater global awareness among individuals about pri-vacy and personal data topics. This can be explained by the borderless nature of data and the digital world, with the digital citizen expecting his or her privacy to be respected regardless of borders.

This observation reinforces the importance of respecting privacy in digital projects, regardless of the country and population in question.

W h a t i s y o u r d e f i n i t i o n o f p r i v a c y t o d a y ? ( F i g u r e s c o r r e s p o n d t o t h e n u m b e r o f p e r s o n s w h o s e l e c t e d e a c h a n s w e r )

1092

Control> 60%

Freedom< 40%

1012 976858

732

537 520

16

China France Germany

Italy United Kingdom United States

Have control over who can get

information about you

Not having to disclose what

you consider to be a matter of

privacy against your will

Have control over the type of

information collected about

you

Not being observed or disturbed by

others

Have "your" moments, on

your own, without being monitored by

others

Not being monitored at

the o�ce

Not being systematically

identified in public spaces

Other

W h a t i s y o u r d e f i n i t i o n o f p r i v a c y t o d a y ? ( F i g u r e s c o r r e s p o n d t o t h e n u m b e r o f p e r s o n s w h o s e l e c t e d e a c h a n s w e r )

1092

Control> 60%

Freedom< 40%

1012 976858

732

537 520

16

China France Germany

Italy United Kingdom United States

Have control over who can get

information about you

Not having to disclose what

you consider to be a matter of

privacy against your will

Have control over the type of

information collected about

you

Not being observed or disturbed by

others

Have "your" moments, on

your own, without being monitored by

others

Not being monitored at

the o�ce

Not being systematically

identified in public spaces

Other

11

It is also important to provide customers and employees with assurance that they have control over their data. This is pos-sible by providing individuals with simple and autonomous means of access.

A L L P E R S O N A L D ATA A R E V I E W E D A S S E N S I T I V E I N T H E E Y E S O F C I T I Z E N S

When questioned about the level of sensi-tivity, the panel showed slight differences in their responses. Citizens considered most of the proposed types of data as sensitive. They did not perceive that leakage of certain data types could have serious or even irreversible consequences (e.g. health data), in contrast to other data types (e.g. financial data), for which most countries have already implemented reg-ulatory frameworks which protect individ-uals (for example, rapid reimbursement in the event of fraud).

The most frequently selected responses relate to control. This pattern is confirmed by observing the intermediate proposals. For example, “having control over the type of information collected about you” is a more widely selected response (more than half) than “having moments alone, with-out being monitored by others”, relating to freedom.

Providing stakeholders

with the feeling that

they are in control

of their data is

imperative

A c c o r d i n g t o y o u , w h a t a r e t h e m o s t s e n s i t i v e d a t a ? ( r a t i n g f r o m 1 t o 5 )

4 , 1 3 4 , 0 2 3 , 9 6 3 , 8 7 3 , 8 7 3 , 8 5 3 , 8 3 3 , 8 3

3 , 2 8 3 , 1 4

0 , 4 5

Financialdata

Healthdata

Personaldata

(name, age)

Behaviouraldata

Contactdetails

Familystatusdata

Data ondevices andIT network

used

Localisationdata

Audio orvideo data

Lifestyledata

Other

12

data for previously authorised use.

We can differentiate between three main groups of actors. Firstly, the actors grouped under the category of “institutions” command the highest level of trust among respondents.

/ This includes public institutions, semi-public institutions or entities from the traditional economy with which individuals have historically shared a relationship of trust. This is particularly the case given how such

This demonstrates that, regardless of the type of personal data handled by a proj-ect, special attention must be given at least to the communication of protection levels.

T R U S T VA R I E S G R E AT LY F R O M O N E S E C TO R O F A C T I V I T Y TO A N OT H E R

We asked respondents to indicate which type(s) of organisation(s) they trusted the most with regard to using their personal

W h i c h o r g a n i s a t i o n s d o y o u t r u s t ?

51%

45%

34%

29%

24%

14% 13% 13%11% 10% 9%

6% 5%

Banks Medicalorgani-sations

Publicorgani-sations

Payment/creditcard

companies

Insurancecompa-

nies

Energysuppliers

Transportoperators

Tele-comm-

unicationoperators

Localshops or

onlineshops

Other Webcompanies

Technolo-gical

companies

Socialmedia

Banks, Health, Public institutions,Credit card providers, Insurance

More than 25%

Energy, Transportation,Telecoms, Retail

Between 10 and 20%

Web companies, Social media,Technological companies

Less than 10%

China France Germany

Italy United Kingdom United States

13

/ Mistrust towards such companies can be attributed to the amount of data they collect and use on individuals, as well as recent high-profile prosecu-tion cases related to such use.

However, this result reveals a paradox. Despite this evident lack of trust, indi-viduals continue to frequently use the services provided by these actors, due in part to a lack of alternative, as well as the information entrusted seeming to be, often wrongly, harmless and insignificant in the eyes of the individual.

institutions have processed sensitive data throughout their history (medi-cal data, etc.). We also find significant differences within this category, with more than half of respondents claim-ing to trust banks with the processing of their data. Image and reputation are therefore crucial for banks, which serve to meet customer expectations in the aim of retaining their position as the number one trusted partner.

/ Secondly, an intermediate category encompasses the actors of daily life such as transport operators and energy suppliers. Such B2C actors carry out swift digital transformation and benefit from the existing relation-ship of trust.

/ Thirdly and finally are actors in the digital economy, whether web giants or technology firms.

Banks are the number

one trusted partners -

a place to be cherished!

The social media

paradox: lowest in

confidence but highest

in use

14

Although not traditionally thought of as “sensitive”, data on individual behaviours and actions are now viewed as a signifi-cant stumbling block between customer expectations about the respect for pri-vacy and the increasingly personalised customer relationship.

N E W T E C H N O LO G I E S R A I S I N G F E A R S

The panel highlights four technologies most likely to put their privacy in danger, according to respondents. What do they all have in common? Making it possible to collect data without this activity being under the control of the persons con-cerned. This would, for certain individuals, equate to a form of surveillance.

On the other hand, technologies which provide citizens with the ability to choose the data they share, such as connected objects or Cloud services storing private information, are considered less risky in terms of privacy and therefore do not fea-ture as any of the four technologies.

I n y o u r o p i n i o n , w h i c h t e c h n o l o g i e s c a n t h r e a t e n y o u r p r i v a c y ?( r a t i n g f r o m 1 t o 5 , f r o m t h e l e a s t t o t h e m o s t t h r e a t e n i n g )

Public WIFIto surf on the

Internet

3,87

Drones recording images,videos and sounds in apublic space, and the

behavior of people

3,79

Technologies for capturingmoods, opinions and how

people behave when usingInternet

3,78

Cameras recording images,videos and sounds in apublic space, and the

behavior of people

3,75

15

/ Measures to improve the security of the data provided: increasing the level of security of online accounts such as strengthening passwords, changing passwords regularly, check-ing access rights and being more attentive when sharing personal information over the Internet…

/ In addition to such measures, we find more extreme solutions. This ranges from the complete closure of accounts on social networks, exclusive use of trusted and tested sites or technolo-gies, to deleting history and cookies with every use of search engines.

While these individual initiatives can con-tribute to increasing the protection of privacy, they may conflict with new uses and innovation promoted by organisations, thus limiting or even preventing the per-sonalisation of the customer relationship.

C I T I Z E N S W H O TA K E A C T I O N TO P R OT E C T T H E I R D I G I TA L P R I VA C Y

More than half of respondents claimed that they had made certain changes to their online behaviour in order to better protect their data. This illustrates a height-ened level of awareness by individuals concerning the protection of their privacy.

It is worth analysing how the means indi-viduals take to ensure such protection. Our respondents described the measures they took, divided into two categories:

/ Measures to limit the amount/type of data provided: provision of inaccurate/incomplete information when creating an account, such as the use of a nickname or discarding non-mandatory fields or the use of anonymous accounts...

O v e r t h e l a s t y e a r s , h a v e y o u c h a n g e d y o u r b e h a v i o r t o b e t t e r p r o t e c ty o u r p r i v a c y a n d l i m i t t h e s h a r i n g o f y o u r p e r s o n a l d a t a ?

Yes

Don’t know/No opinion

No38 %

52 %

10 %

16

FOCUS OF THE SURVEY

A r e y o u c o n c e r n e d a b o u t y o u r p r i v a c y ?

Yes Don’t know/No opinionNo

19%

75%

6%

283

Chine France Allemagne Italie Royaume-Uni États-Unis0

20

40

60

80

100

97%

1%

307

81%

5%

252

53%

247

65%

253

72%

4%

245

78%

14%

35%

12%

27%

8%24% 19%

3%2%

China France Germany Italy UK US

@gbillois

A l l r e s p o n d a n t s

B y c o u n t r y

Respecting privacy is a concern for three-quarters of respondents. Chinese respondents were by far the most concerned about the subject (97%).

The United States and France share similar responses to this question despite different visions on the subject.

Germans seem less worried about the topic, 35% of them don’t feel concerned about their privacy, which contrasts from their other answers.

Opinions were more dubious on this question in Italy and the United King-dom.

17

T o w h a t e x t e n t d o y o u f e e l t h a t y o u h a v e c o n t r o l o v e r y o u r p r i v a t e i n f o r m a t i o n ?

Partial controlNo control at all Don’t know /No opinonComplete control

17%

68%

4% 11%

Chine France Allemagne Italie Royaume-Uni États-Unis

0

20

40

60

80

100

120

China France Germany Italy UK US

283

70%

17%

307

68%

252

75%

247

72%

253

68%

245

54%

17%12% 9% 13%

36%

8%11%

11% 16% 13% 6%

5% 4% 3% 4% 6% 3%

A l l r e s p o n d a n t s

B y c o u n t r y

Generally, respondents estimate that they only have partial control over their personal information. The proportion of respondents thus represent a markedly similar percentage in five of the countries surveyed (between 68% in France and the United Kingdom and 75% in Germany).

The United States is to be analysed separately, insofar as more than a third of respondents claim to have complete control over their personal information.

18

In genera l , do you th ink that publ i c or pr ivate organisat ions use the in format ion you prov ide on ly for a purpose you have author i sed ?

50%

30%20%

283307

252 247 253 245

Chine France Allemagne Italie Royaume-Uni États-Unis

48%

37%

15%

20%

64%

16%

17%

59%

24%

21%

59%

21%

29%

45%

26%

49%

35%

16%

Yes Don’t know/No opinionNo

China France Germany Italy UK US

A l l r e s p o n d a n t s

B y c o u n t r y

A first group stands out, more than 60% on average of French and Italian respondents join their German counterparts in claiming not to trust that orga-nisations use their data exclusively for the purposes announced at the time of collection. Even if they entrust them with their data

These responses contrast with those of Chinese and American respon-dents, who demonstrate a stronger tendency to trust public and private organisations.

It should also be noted that this is a complex issue for several respon-dents. Thus, one in five respondents are not commenting.

19

To what extent do you agree that ex i s t ing laws prov ide a reasonable leve l o f protect ion for your pr ivacy?

Fully agree Neither agree nor disagree

Don’t know/No opinion

Somewhat agree

Rather disagree

Fully disagree

36%

7%

18%

22%

15%2%

0

20

40

60

80

100

283

37%

43%

307

28%

29% 252

33%

247

35%

253

43%

245

43%

27%

12%

10%25% 19% 17%

10%11%

27%

28%31% 21%

4%5%

3%

3%

3%

5%

2%

6%

5% 2%6% 7% 7%

7%

6%

China France Germany Italy UK US

A l l r e s p o n d a n t s

B y c o u n t r y

This question triggered a wide range of responses among the respon-dents.

Half (51%) of respondents somewhat or completely agree with the sta-tement that existing laws protect their privacy, while one-quarter (25%) somewhat or completely disagree. Almost a quarter (22%) of respon-dents were unable to decide.

More than two-thirds of Chinese (80%) and US (70%) citizens somewhat or completely agree, whereas in both countries, national regulations are less developed than in Europe.

About one-third (38% and 31% respectively) of citizens in France and Ger-many tend to somewhat or strongly disagree, underlying the need for even more regulation.

2020

Find the full interview on our website: www.wavestone.com/insights

The first part of our interview with Milad Doueihi, American philosopher and Chair of Digital Humanities at Paris-Sorbonne University, placing privacy in the context of a more global evolution of digital cul-ture and its impact on privacy.

I s t h e n o t i o n , o r i n d e e d v a l u e , o f p r i v a t e l i f e s t i l l r e l e v a n t t o d a y?

It is relevant, but not as we understand it. Private life does not carry the same mean-ing as in the past, even the recent past. What has changed, with social networks or the Internet in general, is the scale of metadata and logs.

There is a massification in the production of data and this data is now analysed to identify, to follow – that is not to say to spy on – people. Thus, the cultural landscape in which we go about our private lives and the way that individual, public and collec-tive actors perceive it, has changed.

S o t h e c h a l l e n g e o f t o d a y w o u l d b e t o r e d e f i n e t h e n o t i o n o f a p r i v a t e l i f e i n a d i g i t a l w o r l d ?

Yes. It is interesting to redefine because it has been subject to many modifications. Some studies show that adolescents, at a particular moment in time, agreed to share more information which their par-ents would have considered as private. Gradually, behaviours of this type have become more commonplace. What would be interesting to see would be embedding this alteration of private life into the alter-ation of digital data itself.

S u c h e vo l u t i o n s i n d i g i t a l t e c h n o l o g y, a s yo u m e n t i o n e d , i n vo l ve p r o g r e s s i n g f r o m a f i x e d d i g i t a l c u l t u r e t o o n e o f m o b i l i t y i n w h i c h p e o p l e e n t e r t h e p u b l i c s p a c e a n d i n t e r a c t w i t h o t h e r s . H a s s u c h e vo l u t i o n a l s o c h a n g e d o u r r e l a t i o n s h i p t o o t h e r s a n d o u r o w n p r i v a t e l i ve s?

Absolutely. Mobility can be interpreted in different ways. Firstly, there is essen-tial type of mobility through transitivity

INTERVIEW WITH

Milad Doueihi, philosopher

21

“There is a massification in the production of data and this data is now analysed to identify, to follow – that is not to say to spy on – people.”

between support and tools. We see this today with a kind of continuity (moving from a tablet to a phone to the computer) which did not exist previously. Secondly, a significant amount of data and metadata logs contain geo-location information, transmitted by mobile phones. Finally, the third type of mobility could be related to platforms which collect data. This is the case for the Cloud, for example, which complexifies jurisdication surrounding the framing of data, calling the need for super-vision of data transfers through devices

such as safe harbors or privacy shields.

Re t u r n i n g n ow to t h e n o t i o n o f d i g i t a l i d e n t i ty, i t wa s i n t ro d u ce d by t h e d i g i t a l revo l u t i o n a n d c a n b e d i f fe re n t i a te d f ro m c i v i l i d e n t i ty. H a s t h i s c h a n g e d o u r re l a t i o n s h i p w i t h o t h e r s a n d h a s i t re d e f i n e d w h a t we a re w i l l i n g to s h a re a b o u t o u r i d e n t i t i e s?

The first phase of digital identity was straightforward: aggregation of our online presence. However, due in part to mobility, the massification of data and the emergence of digital sociability has evolved. We have witnessed a para-digm for personalised recommendations, which harness the elements of the digi-tal identity. This modifies the context of social or economic pertinency, shifting how we view and understand confidence and trust. It is one of the most important success factors which arise with this new form of digital identity. The association of tabular choices, suggested by algorith-mic platforms deriving their choices from the analysis of interactions, will produce recommendations. We therefore witness a shift from an era defined by measure-ment to an area of social precision, of pertinence. This modifies the perception of our relationship to others.

22

S i n c e t h e i n t ro d u c t i o n o f d i g i t a l p r i v a c y i n l e g i s l a t i ve l i t e r a t u r e , r e g u l a t i o n s h a ve

b e c o m e i n c r e a s i n g l y s t r i n g e n t . T h e E u ro p e a n U n i o n i s t h e e n g i n e d r i v i n g t h i s t r e n d

w i t h t h e G e n e r a l D a t a P ro t e c t i o n R e g u l a t i o n (G D P R ) , a l t h o u g h o t h e r c o u n t r i e s h ave

n o t f a l t e r e d b e h i n d a s we w i t n e s s a g l o b a l e f f o r t i n e s t a b l i s h i n g r e g u l a t i o n f o r t h e

h a n d l i n g o f p e r s o n a l d a t a .

WHICH LEGAL FRAMEWORKS SHOULD BE IMPLEMENTED ON AN INTERNATIONAL

SCALE?

23

A N I N C R E A S I N G LY I N T E R N AT I O N A L R E G U L ATO R Y F R A M E W O R K

The concept of privacy, as understood in history, can be understood across several centuries of legislation. It began taking shape in 1948, inscribed in Article 12 of the Universal Declaration of Human Rights: “No one will be the object of arbi-trary interference in his private life (...). Everyone has the right to be protected by law against such interference or attacks”.

Regulation around the protection of per-sonal data is a more recent phenomenon. It is directly linked to the development of information technology and the increased collection of data by organisations. In addition, the market value of data adds a further layer of complexity with the emergence of an international regulatory consensus.

G e n e r a l D a t aP r o t e c t i o nR e g u l a t i o n

S i n g l ep o i n t o f c o n t a c t

F i n e s u p t o€ 2 0 m i l l i o n o r 4 %o f g l o b a l t u r n o v e r

D a t a p r o t e c t i o nd e l e g a t e

D a t a p r o t e c t i o nb y d e s i g n

D a t a v i o l a t i o n sr e p o r t i n g

C o n s e n tP o r t a b i l i t y

R i g h t t o o b l i v i o n

STRENGTHENING EXISTING MEASURES

MAIN OBLIGATIONS

R e s p o n s a b i l i t y

E n t r y i n t o f o r c e :2 5 t h M a y 2 0 1 8

?The regulation “lays down

the rules on the protection of individuals regarding the processing of personal data by institutions and bodies of the Union and on the free

movement of such data.”

Sweden was the first state to establish leg-islation on the subject in 1973. In France, the “Loi Informatique et Libertés” was enacted in 1978, following debates over the Safari project, aimed at creating a centralised database of information about individuals.

Without reviewing each national law and its timeliness, an analysis of the initiatives implemented on regional scales provides a holistic view of the main privacy trends.

E U R O P E A N U N I O N : T H E S TAT E P R OT E C T I N G I T S C I T I Z E N S

The European Union was the first institu-tion to establish legislation on the subject in 1995 with the publication of Directive 1995/46/EC. This first attempt at creating legislative harmony on an institutional and European scale has been followed by the implementation of numerous principles,

24

defined in the law of various Member States, including the establishment of supervisory authorities. This legisla-tion is rooted in the “Guidelines for the Protection of Privacy and Transborder Flows of Personal Data” published by the OECD in 1980, which were non-binding.

In April 2016, the European Union elected to strengthen its legislation with the General Data Protection Regulation (GDPR), which, unlike the 1995 directive, will be directly applicable in the law of the Member States of the European Union. Its implementation is planned for May 2018, when organisations must ensure their compliance with the requirements of the regulation. Developments will soon

take place in e-privacy in the near future, aligning traditional requirements on pri-vacy with more recent developments and innovation, thus addressing the topics of secrecy and correspondence in the digital age. Through such literature, the European Union will adopt the position as a protec-tor of citizen data.

U S : M A K I N G P E O P L E A W A R E O F T H E I R R E S P O N S I B I L I T I E S

There is no specific regulation nor regu-lator within American law which oversees the collection and use of personal data at a federal level. Instead, the United States operates under a combination of laws

25

In 2016, the United States and the EU drew up a new arrangement, the Privacy Shield, designed to offer better protection for data transfers

which apply to certain sectors or states. Some regulation covers specific categories of personal data, such as financial data or health-related data, while others regulate activities which exploit such data, such as digital marketing. In addition to such regulations, best practices developed by federal agencies and industrial groups are also used as a means of auto-regu-lation. The Fourth Amendment of the US Constitution can also be referenced for the protection of personal privacy. Finally, laws around consumer protection, while they do not regulate personal privacy, forbid practices around the disclosure of personal data. Nevertheless, American citizens display a certain degree of flex-ibility regarding the distribution of their personal data.

As shown by the evolution of “Safe Harbor”, differences exist between the American and the European vision. This legal mechanism was implemented to

ensure the protection of data transfer between the EU and the USA until October 2015, thereafter invalidated by the Court of Justice of the European Union (CJEU). According to the CJEU, the level of data protection offered by the United States was no longer satisfactory in light of the information leaked by Edward Snowden regarding the global surveillance pro-gramme operated by the American gov-ernment. In February 2016, the United States and the EU drew up a new arrange-ment, the Privacy Shield, which came into force in August 2016 and is designed to offer better protection for data transfers.

A S I A : A S I T U AT I O N U N D E R D E V E LO P M E N T

With respect to data protection, we can categorise Asian countries and territories in two ways. Some are relatively mature on the subject, including South Korea, Singapore, Hong Kong or Taiwan. Until recently, China did not have any spe-cific personal data protection legislation. However, in November 2016, new regula-tions applicable to operators from June 2017 were implemented. This new regu-lation will integrate widely agreed princi-ples on respecting personal privacy and will require the storage of personal data on Chinese territory.

On the other hand, other countries in the area are yet to implement regulations regarding the protection of personal data on a large scale, despite on-going debates.

26

Arabia do not have specific legislation regarding the protection of personal data. Specific to these countries is the applica-tion of Sharia law, stating that damage can be claimed if the disclosure of personal data leads to abuse or damage.

In South America, several countries imple-ment independent regulators. Moreover, they benefit from constitutional guaran-tees regarding personal data protection. This is particularly the case in Uruguay and Argentina, two countries recognised by the European Union as providing suffi-cient levels of data protection.

R E S T O F T H E W O R L D : R E G I O N A L I N I T I AT I V E S U N D E R D E V E LO P M E N T

In Africa, the first legislation on the sub-ject was implemented in 2001, in Cape Verde. In 2004, Burkina Faso was the first state to establish a national regulator. At the regional level, the African Union Convention on Cybersecurity and Personal Data Protection, signed by 18 countries in 2014, incorporates notions derived from European legislation, with no legal binding.

In the Middle East, states such as the United Arab Emirates (UAE) and Saudi

Countries of the EUor the EEAConsidered as acceptable by EUIndependent authority and law(s)With a legislationNo laws

So

urce

: Cni

l.

27

Find the full interview on our website: www.wavestone.com/insights

How has the role of a supervisory authority l ike the NCDP evolved over the past few years? Will the role change again under the new GDPR?

The role of the NCDP is constantly evolv-ing as it must address the changes driven by developments in information tech-nology. The last 15 years have witnessed the emergence of social networks, Cloud computing and an exponential increase in collected data. It is now easier than ever to acquire the necessary IT resources to pro-cess such data. The NCDP must adapt its role when facing these new challenges. In addition, citizens are more and more con-scious of their rights and the necessity to better protect their privacy in an increas-ingly digital world. The new European reg-ulation reinforces the supervisory role of the NCDP, allowing the NCDP to stricter impose administrative fines which must be effective, proportionate and deterrent.

In your view, why have the topics of privacy and data protection become so important for the general public over the last few years?

With the “computerisation” of our society over the last two decades, the develop-ment of blogs and social networks and the internationalisation of nominative data flows have radically changed the game. The exchange of personal data has become a global phenomenon, corpo-rate IT infrastructure is increasingly out-sourced to the Cloud and the Internet is the most widely used tool in our daily lives. Moreover, the volume of personal data has witnessed an explosion indicated by the unprecedented rise of data storage cen-tres across the world. The development of new technologies such as artificial intelli-gence and data mining techniques will also considerably increase data processing and analysis capabilities.

INTERVIEW WITH

Tine A. Larsen, president of the National Commission for Data Protection (NCDP) of Luxembourg

2828

From a citizen point of view, if you ask a young person what is their most important possession, the majority will answer “my smartphone”. This object, coupled with data servers hosted across the Internet, holds information about most aspects of their lives and the associated data. Citizens wish to benefit from services generated by the global collection of data (personalised services, social networks…) whilst preserv-ing their privacy.

Is there any difference in perception between European regulators over what is at stake and the future application of GDPR?

To implement GDPR, European legisla-tors will benefit from experiences from the application of the 1995 directive. The transposition of the directive by the Member States generated national legal literature marking differences between each country, which did not contribute to the uniform application of the principles of data protection at the European level. The choice of regulation as a legal instrument rather than a new directive is justified by the desire to avoid discrepancies between Member States and to contribute to the emergence of a Digital Single Market.

There are perceived differences around the regulation because of the history and the modus operandi of the different supervi-sory authorities. However, such differ-ences should only play a minor role in the application of the regulation by European authority, while the European Commission

for the protection of personal data (suc-cessor to the working group of “Article 29” established in the 1995 directive) will har-monise the application of the regulation inside the European Digital Single Market.

W h a t s h o u l d w e r e t a i n f r o m G D P R a n d t h e m a i n d e ve l o p m e n t s i t b r i n g s t o c i t i z e n s , c o m p a n i e s , a d m i n i s t r a t i o n s a n d p u b l i c e n t i t i e s?

This new regulation clearly prioritises addressing the concerns of citizens, consumers and indeed all stakeholders involved in the field of data protection.

It is built upon transparency, requiring companies to use easily understandable and accessible language in all communi-cations with individuals. The list of infor-mation which must be communicated has also been considerably extended. The con-ditions for obtaining prior consent were clarified, including for children and adoles-cents. Finally, individuals benefit from new rights such as the right to erasure (right to oblivion) and the right to portability allow-ing for better control over what happens to personal data.

The regulation not only affects the way companies can be held accountable, but links the processing of personal data to the entirety of the sub-contracting chain. We can expect a net decrease in declarative constraints to the NCDP. But the conse-quence of this reduction places the expec-tation of robust accountability measures by companies, whilst offering them increased

29

freedom in the implementation of their personal data management policy. At all times, such companies must be capable of demonstrating the relevance and adequacy of technical and organisational measures implemented to guarantee data protection.

Administrative and public entities must also be compliant with the requirements of the new regulation. However, the liter-ature allows Member States to legislate in the relevant public authority domain, such as for national security. To support stakeholders in the implementation of the regulations, data protection officers will become mandatory, while only compulsory in certain situations for companies.

N u m e ro u s d i g i t a l i n i t i a t i ve s h ave t a ke n o f f i n re ce n t ye a r s ( B i g D a t a , I o T, B l o c kc h a i n ) . W h a t r i s k s d o t h e s e te c h n o l o g i c a l a d va n ce m e n t s c a r r y fo r c i t i ze n s?

A very important risk is the generalisation of automated decision-making based on the increasingly detailed digital profiles of individuals. Technologies are shaping a society where algorithms will soon dictate all decision-making. This context raises questions about the human aspect as well as the quality and reliability of data found in digital profiles. However, this is not just about risk. Such technologies also hold fruitful opportunities for improving the quality of life of citizens. For example, the blockchain system has become an integral component of finance in the economy of Luxembourg.

One benefit of the new regulation is that it avoids specific mention of technologies and rather concentrates on risk manage-ment principles and techniques linked to data protection. However, risks will indeed evolve with technological advancement. It will therefore be necessary to maintain efficient and appropriate risk management strategies.

I s t h e i m p a c t s o f i n n ov a t i o n w e l l u n d e r s t o o d b y c i t i z e n s?

As with every new technology, we always find discrepancy between its introduc-tion into society and the perceived risks or disruption this technology will create. However, with data protection principles applied from conception and by default, European legislature will in any case require that the creation of new devices and services will consider data protection requirements from the offset. In the same way that passenger safety is central to the manufacturing of cars, data protec-tion will serve at the core of technological advancement. .

“A very important risk is the generalisation of automated decision-making based on the increasingly detailed digital profiles of individuals”

30

E n s u r i n g t h e re s p e c t o f p r i va c y i n a d i g i t a l wo r l d n o t o n l y r e q u i r e s i n t e g r a t i o n i n t o

e ve r y p r o j e c t , b u t i n t e g r a t i o n i n t o e ve r y c o m p a n y c u l t u r e . T h i s a p p r o a c h w i l l a l s o

f a c i l i t a t e c o m p l i a n c e w i t h n e w r e g u l a t i o n s i n t h e r e s p e c t i ve c o u n t r i e s .

RESPECT FOR PRIVACY IN DIGITAL TRANSFORMATION:

KEY CHALLENGES AND PRINCIPLES

31

opportunities around energy saving and fraud management through the collation of consumption data. In the insurance sector, accumulating data on customer preferences enables the personalisation and customisation of services and the development of additional offerings.

Such developments require the collation and manipulation of masses of personal data.

C Y B E R S E C U R I T Y A LO N E I S N OT S U F F I C I E N T F O R P R OT E C T I N G D I G I TA L P R I VA C Y

To protect personal data so crucial to the digital market, organisations will pursue cybersecurity measures, such as secure transfer protocols or data encryption. However, we may question if such mea-sures are sufficient, while concerns over data misuse, profiling and automated deci-sion-making intensify. An IT security-ori-ented approach alone is not sufficient. To address the fears over the respect of privacy, it is essential for organisations to reassure individuals by guaranteeing the non-manipulation of data without their prior knowledge and against their will.

M A N Y P R OJ E C T S A I M AT D I G I TA L I S I N G B U S I N E S S P R O C E S S E S A N D C U S TO M E R R E L AT I O N S H I P S I N O R D E R TO O P T I M I S E E X I S T I N G P R O C E S S E S , I N T R O D U C E C U S TO M E R P R OX I M I T Y O R O F F E R N E W S E R V I C E S

The fol lowing examples, based on Wavestone’s consulting experience, illus-trate such trends.

Historically, postmen, meter readers and service technicians have worked with paper (address databases, meter-reading or maintenance documentation). Work is organised according to the tasks to be performed and can usually be operated alone and independently throughout the day, before information is collected and consolidated at the end of a work shift.

The dematerialisation of such paper-based processes is intended to help organisa-tions or agents in their activities by col-lecting data, better organising the work to be performed and sequencing tasks.

This digital isation process occurs in different sectors for specific pur-poses. For example, in the energy sector, smart meters create innovative

32

pseudonymisation (replacing direct iden-tifiers with “codes”), randomisation (ran-domly generated data which retains the statistical value but conceals the origin) or generalisation of data sets.

Regarding data sharing and exchange, mathematical methods facilitate the exchange of data between two organi-sations, whilst ensuring data anonymity. When selecting such methods, it is import-ant to assess their limitations. A poorly executed “sensitivity reduction” can still directly lead to the source of original data. For example, this can involve deleting the name but keeping the date of birth, place of birth and address.

Such methods enable organisations to optimise the customer relationship in two ways: by providing a better understand-ing of the digital customers’ profile and by demonstrating respect for customer privacy. This is the path chosen by Apple through the concept of differential privacy to differentiate from competitors Google and Microsoft.

3Ensure individuals are in con-trol of their personal data not by generating value through the

access to data, but rather by providing individuals with control over their data, allowing services to develop based on their needs.

F O U R M A J O R P R I N C I P L E S

The following guiding principles are to be applied in the collation and use of personal data.

1Communicate transparently and explicitly, informing indi-viduals on the data that is col-

lected about them even if not directly obtained from those concerned. Our survey essentially illustrates this meaning of privacy to citizens: what kind of infor-mation is accessible about me, and to whom? It also means sharing the reasons behind data collection and the intended usage. Under no circumstances should data be collected without the purpose of collection disclosed to the persons con-cerned. Recent sanctions from regulators have illustrated that such activity is always exposed in the media, with heavy reputa-tional impact and lost customer confi-dence often the damaging consequences. Building a relationship of trust takes years, whereas losing it only takes minutes.

2Minimise the collection and storage of personal data. Less data collected about an individ-

ual means a lower risk of unauthorised and non-compliant use. For existing data, it is possible to process data while minimising risks through the use of “declassifying” techniques such as anonymisation,

33

Use cases for self-data are also subject to research in the insurance sector, with some insurance companies contemplat-ing the complete removal of client spaces to instead install them on self-data Cloud platforms. The insurer will then have access to the data belonging to his client but is no longer in ownership of that data.

Beyond self-data, such trends may even lead to the “Green Button” mechanism where individuals explicitly validate access to their data at any time. This principle, albeit difficult to implement in practice, can be restricted to particularly sensitive data, such as health data.

4Implement a win-win model by clearly demonstrating the ben-efits generated by collecting

and using data, not only for the organisa-tion but also for individuals. Such benefits can be shared with customers through various means, such as additional services, rebates and compensation.

This approach may even drive the ease in adoption of new uses in an environment where increases in market share carry sig-nificant impact.

Ultimately, we are able to identify several levers in motion for building an honourable circle of trust when using an individuals’ data with respect and for the purposes of increasing the level of confidence.

This approach, labelled “self-data”, can be applied in the context of an energy con-sumption optimisation project, an example of which is to ask customers to indicate the temperature in their homes to record the potential cost savings associated with heating reduction. An individual will then be informed of the potential cost savings by autonomously using and managing a self-data Cloud platform, connected to his personal equipment to enable the cross-analysis of data through consultation of his digital thermometer and energy bills.

T r a n s p a r e n c y

C o n t r o l b y i n d i v i d u a l s

W i n - W i n m o d e l

M i n i m i s a t i o n / D e s e n s i b i l i s a t i o n

i

3434

W h a t c h a n g e s h a ve o c c u r r e d ove r t h e l a s t f e w ye a r s i n t h e m a s s r e t a i l s e c t o r ?

Over the last decade, we have shifted from a distribution model focusing on costs and volume to a model based upon under-standing our customers. Mass distribution is thus a thing of the past, as it completely overlooks the interests of the customer relationship. Nowadays, our model gath-ers and stores knowledge about our cus-tomers, allowing us to develop closer proximity with the customer and loyalty programmes which support the frequency and consistency of their purchases.

H o w s h o u l d o r g a n i s a t i o n s h a n d l e s u c h c h a n g e s?

In recent years, awareness by business stakeholders of the opportunities that come with the high potential of cus-tomer data has increased. Nevertheless, resources must be used wisely in sup-porting the efforts of organisations to get closer to their customers. Data must be collected, handled and reconciled against frameworks which correspond to customer expectations and regulatory requirements.

For example, the “opt-in” option is a good way to ensure that customers are well informed and accept the collection and processing of their data.

Increasingly, rewards are used as a means for encouraging customers to accept the disclosure of their data. However, this model has its limitations. It is essential to ensure that services are of interest to cus-tomers and contribute to the ease of their lives, as well as ensuring that individuals have agreed to provide their data.

D o yo u h a ve s o m e e x a m p l e s o f p r o j e c t s w h i c h c r e a t e d a p p r e h e n s i o n?

The introduction of RFID chips (integrated technology which enables the identifica-tion and follow-up of objects or people) in electronic tagging is a good example.

Many projects have been launched in the textile industry based on optimising production costs, inventory automation in stores and warehouses as well as the ease of chip insertion into clothes. It is crucial to have real-time knowledge of stock levels and to have reliable informa-tion in an omni-channel context, where it

INTERVIEW WITH

Armand de Vallois – Consummer goods & distribution

35

is increasingly common to see online pur-chases made ahead of in-store collections.

RFID chips can also contribute to data production based on customer journeys and the actual product itself, for example calculating ratios to record the number of times a product has been tried on in a fitting rooms compared to successful purchases of that product. This type of information is essential in the context of fast fashion in the textile industry.

However, such chips are also a cause for concern. For example, salesmen can “potentially” connect a customer to a product (the RFID chips use unique iden-tifiers) and track their activity over the duration of their shop visit (the chipset remains activated).

H o w d i d yo u a d d r e s s t h e s e c o n c e r n s?

We implemented what we call “Privacy By Design”, which goes beyond strict princi-ples regarding chip use (identification and follow-up of products, not customers) and incorporates several other principles:

/ A visible marker showing that clothes are equipped with a RFID chip

/ Training sales teams so they are better qualified to respond to cus-tomer queries, such as informing cus-tomers that chips may be removed by cutting the tags attached to a product, a service offered in stores, or declaring that the company in question will never connect a cus-tomer and a chip

/ Dedicated webpages for commu-nicating all information required to understand the chip and the data it collects

These are some examples of best prac-tices which are applicable to all projects involving the treatment of sensitive data. We must lead by example when handling and informing individuals about how to handle such data. It is therefore crucial to reassure customers and answer their questions so as to anticipate and alleviate their concerns.

“Increasingly, rewards are used as a means for encouraging customers to accept the disclosure of their data”

3636

H o w i s t h e c o n c e p t o f p r i v a c y b e t w e e n e m p l oye e s a n d e m p l oye r s p e r c e i ve d ?

It is a concept that has changed signifi-cantly over the last few years. The pri-vacy concerns of employers about their employees is that they often do not devote enough time to their work. For employees, the notion of privacy is goes hand in hand with flexible working conditions such as flexible hours, reduced surveillance and teleworking arrangements. Employees also value a limit on the amount of information that the employer can gather about them.

On the basis of this concept of privacy and to improve employee privacy, employers increasingly seek to support employees in their personal lives through well-be-ing services such as laundry and daycare services, company restaurants and com-plementary insurance. However, provid-ing such support also requires that the employer knows more and more about the private life of employees, such as the com-position of their family and eating habits linked to religious beliefs.

W h a t e x p l a i n s s u c h c o n c e r n s?

It should be understood that employers are increasingly interested in collecting data to improve understanding of their employees. Employees are increasingly reluctant to communicate this informa-tion, especially the younger workforces. Employers wants to retain their employees for longer, facilitate their decision-making and help them to perform more effec-tively and efficiently in the professional and personal lives. The employer collects such data not directly communicated by the employee themselves but from third parties, such as social networks, previous employers, managers, and data inputs from work tools.

Both employees and customers are con-cerned by this development. It would almost say that, by definition, employ-ees suspect employers of attempting to monitor their every move. The employee is then left to wonder how it is possible to retain control over privacy if employ-ers collect all this information about them,

INTERVIEW WITH

Jean-Christophe Procot & Hervé Commerly – Human Resources

37

not necessarily provided by the employee themselves, leaving them powerless if the employer chooses to correlate data for making decisions about an employee, unbeknown to them.

D o yo u h a ve a n e x a m p l e o f a r e c e n t p r o j e c t w h i c h e c h o e d s u c h c o n c e r n s?

The plan of the French government plan to introduce a tax withheld at source. An employee’s salary witheld is an example of this. The aim is to simplify an individ-ual’s life by avoiding deferred payments which can lead to difficult situations. For example, tax collection methods for the state can be improved with a reduction in income set by the employer as an indi-cation that an employee is no longer able to pay the tax rate of the previous year. However, citizens are quick to express concerns about the information their employer holds about them. As well as financial information, a tax return can con-tain additional private information such as marital status, children, ancillary income and any assistance provided to persons with difficulties. The objective should be therefore to ensure that the purpose of the data collected will be limited to tax purposes and that access to such data will be controlled. The employee wants

to ensure that his or her data will not be used for any purposes other than that previously agreed to, such as modifying a salary due to learning the employee’s ancillary income.

W h a t d e ve l o p m e n t s h a ve t a k e n p l a c e i n h u m a n r e s o u r c e s m a n a g e m e n t t h a t w i l l i m p a c t t h e p r o t e c t i o n o f p e r s o n a l d a t a?

Several major trends have emerged:

/ Big Data in recruitment activities, particularly sourcing, which should be supervised in order to ensure legiti-macy when collecting data

/ The multiplication of decision-making for career managers (for example, the creation of succession trees or the identification of key personnel) for automated decision-making, a sen-sitive topic for regulators

/ Mobility, with an increasingly frequent introduction of new professional mobile terminals which do not facili-tate the separation between the data produced in private settings and data produced in professional settings. The question of the “right to discon-nect” is also alluded to regularly.

“Employees are increasingly reluctant to communicate this information, especially the younger workforces”

38

employees. Beyond a binding regulatory aspect, it will above all ensure that organ-isations look to develop their treatment of such issues in an increasingly digital world. Its adoption at a corporate level combined with an effective communica-tion campaign will ensure the message is disseminated across to all employees. It will also contribute to the corporate social commitments of the organisation.

Best practice n ° 2

Establish a privacy ethics committee

To handle the most complex issues at an operational level, a privacy ethics commit-tee will be implemented. This committee may be attached to existing organisa-tions responsible for ethics and profes-sional conduct. Composed of members of various business lines, including (but not limited to) IT, HR, compliance, legal and customer relations, the committee will be chaired by a member of senior management. It will arbitrate situations experienced in particularly data-sensitive projects and handle any received com-plaints. It will also serve as part of the communication strategy on the subject of respect for privacy.

Principles around respecting digital pri-vacy should establish an enticing corpo-rate culture for customers

Beyond simply complying with different regulations, not necessarily the most effective means to building trust in the digital customer relationship, the best practices described below have proved in our experience to be most effective with respect to change management.

Best practice n ° 1

Formalise a company-wide ethical charter

A company-wide ethical charter will pro-vide a strong basis for building respect for privacy. Sharing this charter through-out the organisation will reinforce key organisational principles of transparency and trust. It can be written as part of the implementation of binding corporate rules (BCR), in efforts to establish frameworks treating more important issues than simple data transfers. By introducing a selection of simple yet effective rules to follow, such as the introduction of prior consent by default, an organisation can develop its principles and company philosophy. The charter will aim to cover all personal data, whether from customers, partners or

39

Best practice n ° 3

Facilitate the implementation of “Privacy by Design” by the business lines

Respect for privacy in the digital world is a relatively new concept, yet to be fully embraced and implemented by organi-sations. A dedicated operational effort should be made to equip the relevant teams with simple and effective tools to integrate such concepts into projects. A privacy impact assessment of projects (based on the types of data collected and how it is proposed to be processed) using a matrix is a strong lever for privacy by design, which helps to prioritise projects

in terms of key business stakes. For “high impact” projects, risk analysis methods or communication kits for customers or employees can be implemented.

Best practice n ° 4

Integrate respect for privacy into business objectives and monitor their application

In order to create an honourable circle of trust within the organisation, business and / or project manager objectives will be determined. Objectives will be based on the monitoring of simple indicators put in place to ensure that respect for privacy is reflected in each business project. For

40

In addition, GDPR is highly regarded as an international benchmark standard, where it is viewed that ensuring compliance with GDPR will facilitate compliance with other international regulations.

Beyond compliance on a European scale, this programme will also have a regulatory function in monitoring regulatory develop-ments across different countries, as well as developing the GDPR programme itself to ensure a more widely applicable level of compliance.

Best practice n ° 6

Equip the CIO with tools to protect and monitor data

In order to process data and protect col-lected data, investment in IT-related solu-tions are necessary. Such investments will be towards implementing solutions such as anonymisation, data encryption and management of access rights. Investments in cybersecurity, particularly for detect-ing and responding to incidents related to obligations around customer notification, will also contribute to efforts in challeng-ing cybercrime more broadly.

example, we can measure milestones or achievements such as evaluating the risks of data processing or the application of measures required for transparency, such as communication with customers. The control and regular reporting of such indicators will contribute to best prac-tice governance with respect to privacy. Incentives may even be introduced by the ethics committee; such as awards for projects demonstrating the most respect towards privacy.

Best practice n ° 5

Conduct a compliance programme focused on (but not limited to) GDPR

This programme will organise all the tasks aimed at ensuring compliance with differ-ent legal and legislative literature linked to the protection of personal data. The big-gest priority over the next two years (by May 2018) will be the implementation of the EU regulation, General Data Protection Regulation (GDPR). This is largely due to the substantial financial impact that non-compliance (fines of up to 4% of global consolidated turnover) can inflict.

41

Best practice n ° 7

Communicate clearly and widely to anticipate concerns and reassure

Concerns that emerge from digital innova-tion and development require early commu-nication in order to reassure individuals and gain their support for change. Such com-munications should be transmitted globally, demonstrating the social commitment of organisations with respect to privacy. For example, this may include incorporation into CSR policy, as well as within each project. The reasons for data collection, data pro-cessing and the measures taken to ensure safety can be communicated, without the use of legal or technical jargon. Such com-munications must be prepared to respond to issues or questions raised by customers and employees. Such interactive aspects will be integrated at the project or process-ing design stage.

Best practice n ° 8

Remain vigilant and know how to adopt innovation

It is evident that regulatory, technological and use frameworks centred around the subject of protection of digital privacy are changing rapidly.

In order to capitalise on such innova-tion, observation of regulatory develop-ments and intelligence processes will be necessary. Such initiatives will support approaches based on the rapid adoption of relevant innovation, ensuring effective structural positioning over time.

O R G A N I S AT I O N I S K E Y FO R I M P L E M E N T I N G B E ST P R AC T I C E S

Depending on the purpose of organisa-tions and the nature of their actions, the implementation and facilitation of the aforementioned best practices may be conducted by teams responsible for ethics, compliance, legal issues or even support-ing the CIO. European regulation requires the appointment of a Data Protection Officer (DPO). Such a role is essential for ensuring compliance by an organisation. Above all, it ensures that the principle of respect for privacy is ingrained within the DNA of an organisation. The impact of a Data Protection Officer’s actions will cor-respond to his or her reporting lines and the communication made around his or her appointment.

4242

FOCUS: GDPR COMPLIANCE PROGRAM

AND KEY CHALLENGES

In the situation where an organization has to comply with the GDPR, it will be necessary to initiate a specific compliance program to be aligned with the requirements of the directive. With regard to the large number of those requirements, numerous challenges must be undertaken through several major streams:

⁄ Global program steering, including the creation of group guidelines interpreting the regulation in the specific context of the company, the coordination of local tasks and the implementation of change management;

⁄ Compliance with the customers’ and employees’ data requirements, including the production of the inventory of data processing, risk analysis and the associated remediation plan, as well as the roll-out of the consent, information and rights exercise principles;

⁄ Implementation of the accountability, containing the implementation of audit and control plans, the construction of the Privacy by Design process, reporting to top management and regulatory authorities, as well as the reporting of data breaches;

⁄ Management of the IT evolutions, comprising the roll-out of portability, cleanse and anonymization solutions.

These challenges require a well defined program organization and an established associated governance: what are the respective roles of the DPO, of the compliance function, of the legal function, of the CIO, of the CDO (Chief Digital Officer), and of the support business lines and functions ? This organization will need to be able to centrally pilot, coordinate and equip the program to enable the local implementation of the compliance by the teams directly in touch with the processing.

43

What would be the 3 challenges to be tackled first and foremost ?

1The implementation of Privacy by Design, a pre-requisite to improve over time. It is the obligation to perform risk analyses related to

the privacy of individuals (discrimination, dissemination of confidential data, etc) before implementing the most sensitive processing, and with each modification of the processing. Companies will have to adopt appropriate security measures in order to mitigate such risks. Concrete actions to be conducted include an update of the project methodology to identify sensitive processing as soon as possible, as well as the definition of a risk analysis method to be introduced. Support can be found in the practical guides developd by the regulatory authorities, including the CNIL’s “The study of the impact on Privacy”), which will need to be simplified and adapted to the context and specific needs of the company.

2The notification of data breaches, a challenge for the client relationship. The regulation introduces an obligation to report

data breaches to the competent authorities. The notification of such data breaches to the concerned individuals is only mandatory if the company is unable to prove that it has taken appropriate steps to make such breaches inconsequential. Hence the benefits gained from a properly carried out risk analysis and from the definition and implementation of appropriate measures. To meet this requirement, two processes will have to be developed or overhauled: the first one is a detection and alert process for data breaches, which will integrate the reporting to the authorities, and a new client relationship process to ensure that, when compulsory, the correct actions will be taken to notify the clients (by email, registered letter, press release…) and to manage subsequent interactions with all stakeholders (questions, complaints…), which will often be dealt with via the implementation of dedicated call centers and the quick training of the relevant parties.

3The adoption of the principle of accountability. Every company will now need to be able to demonstrate its compliance with

the regulation. This requirement will be reflected by the implementation of a personal data management framework policy; an associated organization; operational procedures covering the topics of the regulation (information, respect of the rights of the people, transfer to sub-contractors…). The company will also need to be able to prove the application of such policies, and, consequently, to implement audit and control processes.

44

T h e f u t u re evo l u t i o n o f d i g i t a l t e c h n o l o g i e s a n d h ow t h e y a r e u s e d , p a r t i c u l a r l y f o r

a u to m a t i o n a n d a r t i f i c i a l i n te l l i g e n ce , w i l l p l a ce eve n g re a te r i m p o r t a n ce o n p e r s o n a l

d a t a . H o w d o we p re p a r e f o r s u c h d e ve l o p m e n t s?

THE FUTURE OF DIGITAL PRIVACY

45

Algorithms and associated digital services do not appear today as neutral and inde-pendent actors.

It is therefore necessary to develop trust, at the risk that new proposed services will not be accepted by individuals.

This move is anticipated by major Internet companies such as Amazon, Google, Facebook, IBM or Microsoft, the latter of which recently announcing a partner-ship to develop artificial intelligence for the benefit of citizens and society, with the immediate involvement of an ethics committee.

… TO W A R D S B U I L D I N G T R U S T F O R T H E F U T U R E

For all organisations and companies con-cerned, trust must be a criteria of differ-entiation in customer relationships and human resources management.

Meeting the challenge of building digital trust should therefore not be seen as a regulatory or security issue. Rather, it should be seen as an in-depth transfor-mation of the customer and employee relationship and the way in which digital technology is used. This change must be deeply rooted in the foundation of organ-isations and businesses.

Protecting privacy in today’s digital world means doing digital differently.

P R OT E C T I O N O F D I G I TA L P R I VA C Y: B E YO N D CO M P L I A N C E …

We have seen on an increasing scale that digital transformation raises concerns related to data protection, as well as to the legitimacy of the purposes for which data are used.

Digital technology is perceived as acceler-ating, informing and increasing the reliabil-ity of the decision-making process. In the future, automated use cases of technol-ogy will emerge: for automating financial investment decisions, predicting diseases and finding their cures, autonomous vehi-cles, not to mention the arrival of robots in everyday life.

However, in order to address this level of automation, it will be necessary to collect data directly or indirectly (via the Internet, from partners, etc.) from individuals. This data will have to be increasingly intercon-nected in order to facilitate these new uses.

The multiplication of this correlated data combined with the emergence of automa-tion through the use of algorithms under-standably provokes fear in individuals about the decisions over which they have no control.

To capitalise on the next stage of the dig-ital revolution, employees and customers will thus have to be prepared to partially or fully delegate decision-making.

Such delegation, as Milad Doueihi claimed, involves the action of entrusting a third party.

4646

The second part of our interview is with Milad Doueihi, American philosopher and Chair of Digital Humanities at Paris-Sorbonne University, placing privacy in the context of a more global evolution of digital culture and its impact on privacy.

I n t h e w o r l d o f d i g i t a l t e c h n o l o g y, t h e w o r d “ a l g o r i t h m ” c o m e s u p o f t e n . D o a l g o r i t h m s p r o d u c e u n b i a s e d c h o i c e s o r a r e t h e y l i k e p e o p l e , w i t h a d i g i t a l i d e n t i t y?

There is type of a fetishism surrounding algorithms. We have witnessed a shift from the era of data to what we could call algorithmic governance. We are gov-erned, shaped and spied on by algorithms, whether from large corporations or intelli-gence services. In my view, an algorithm is a digital cultural “being” because it is built by people who make decisions informed by economical or cultural factors, which are mostly implicit. Moreover, such algorithms can produce unexpected or not necessarily programmed results. There is certinaly an element of the unknown in the results.

N o w a d a y s , w e a r e f a c e d w i t h t h e c h o i c e s s u g g e s t e d b y t h e s e a l g o r i t h m s , w h i c h a n t i c i p a t e w h a t w e w i l l b e i n t e r e s t e d i n . F o r e x a m p l e , F a c e b o o k w i l l p r i o r i t i s e s h o w i n g o u r c l o s e s t f r i e n d s ’ p o s t s . D o e s t h i s l e a d t o a r e s t r i c t i o n o f o u r f r e e d o m i n e x c h a n g e f o r a l i t t l e m o r e c o n ve n i e n c e?

Other forms of individual autonomy appear because of increasing levels of automation through algorithms and the gradual removal of classical interme-diaries. What is crucial to me is under-standing the links between autonomy and automation. Instead of questioning liberty, we should be questioning auton-omy. Autonomy is now a method of dele-gation. We agree to delegate through an established trusted third-party: for exam-ple, a friend. Nowadays, we are witness-ing a transformation in the way we are autonomous in public spaces, as well as in private and confidential spaces, which is particularly striking to me. The boundary between the two is difficult to determine and maintain.

ENTRETIEN AVEC

Milad Doueihi, philosophe

47

“Yet, through the blockchain, we will transfer our trust from banks and states and into the hands of the colossal computing and calculation power of machines. This signifies a major shift in delegation”

C a n w e d e l e g a t e i n a t r u s t w o r t h y m a n n e r w i t h c u r r e n t We b t o o l s a n d d i g i t a l t e c h n o l o g i e s i n g e n e r a l ?

In my view, we should master the tools we use and monitor the transparency and loyalty of the algorithms on which they are built. We should understand how algo-rithms produce recommendations before a decision is made. There is a form of rec-iprocity between individuals, their inter-actions and the way that the algorithm fuctions.

I n yo u r v i e w, h o w s h o u l d t h e c o n s e q u e n c e s o f d i g i t a l c u l t u r a l e vo l u t i o n a n d p r i v a t e l i f e b e t a k e n i n t o c o n s i d e r a t i o n b y g ove r n m e n t s a n d t h e b u s i n e s s w o r l d ?

Data and its management has become a real factor of trust between people, communities and societies. I believe that states, as is already the case in Europe, should contribute to protect the personal data of its citizens. Such data is meant to be protected by a “jurisdiction embassy”. This means applying rules governed by the citizens’ country of origin and not the country where the data is stored or processed. Sovereignty is at the heart of

the problem. In fact, we must surpass the classical juridicial sovereignty of states, which is a territorial sovereignty. The data characterising a citizen’s identity should be accompanied by legal frameworks not restricted to location but which are intrin-sic to a citizen’s country of origin.

Another solution which seems realistic to me and which can be applied in firms, as well as on a national scale, is to have explicit and accessible customer policies on the way data is handled. We have the right to access, control and appeal the content of our data within legal bound-aries. Yet, this principle is not consistently applied.

To c o n c l u d e , c o u l d yo u s h a r e w i t h u s w h a t yo u b e l i e ve c o u l d a f f e c t t h e e vo l u t i o n o f d i g i t a l i n ye a r s t o c o m e , e s p e c i a l l y r e l a t e d t o p r i v a c y?

Blockchain seems interesting to me, because it helps to automate and erase the human factor, often considered the weakest element of the chain. Yet, through the blockchain, we will transfer our trust from banks and states and into the hands of the colossal computing and calculation power of machines. This signifies a major shift in delegation.

48

www.wavestone.com