Although data is considered to be the fuel of digital economies, it cannot be collected, held or processed freely. On the contrary, the use that companies can make of it is increasingly regulated. “The management of data, particularly personal data, has been regulated for many years. 2018 was a turning point in this area, with the entry into force of the General Data Protection Regulation (GDPR). Through the latter, the European legislator wanted to update the existing framework so that it is better adapted to digital uses, which have developed in recent years,” explains Nicolas Guzman, a member of the data protection office team at Banque Internationale à Luxembourg (Bil). “Above all, this regulation has strengthened the rights of European citizens with regard to their data and the uses that can be made of it.”
Guaranteeing trust
Applying equally to all businesses, the GDPR required major efforts to achieve compliance and, six years on, it is still heavily mobilising the legal, compliance and data protection teams on a day-to-day basis. , chief legal regulatory officer and deputy CEO of Luxtrust, explains: “As well as putting in place procedures to ensure that the organisation complies with these regulations, we have to carry out extensive monitoring and control work on an ongoing basis. While this is restrictive, it also contributes to the trust that customers place in us. For us, as a trusted service provider, this is essential. We maintain a rigorous approach to personal data management.”
More specifically, the GDPR grants a number of rights to citizens in relation to their personal data. These include the right of access, the right to data portability and the right to be forgotten, enabling individuals to ask any company to delete all the information it holds about them.
Many citizens, sometimes without being aware of it, share a lot of personal data spontaneously.
Vigilant citizens
And citizens do not hesitate to assert their rights. “Generally speaking, they are increasingly aware of the issues inherent in data protection. As a result, we are regularly approached by our customers and employees. Some people are simply curious, wanting to know what personal data we hold on them. Some people ask us questions about the data we process. We also have people who, after carrying out a credit simulation, ask for their data to be deleted,” comments Guzman. To be able to respond effectively to these requests, organisations need to have identified all the personal data they hold and ensure that it is kept to a minimum--in other words, that they only collect and retain data that is strictly necessary for the proper performance of a service. They must also have mapped all processing operations and kept them up to date in a register.
Consent and minimisation
Luxtrust is very careful, and its chief legal regulatory officer points out that the company manages a limited amount of personal data. This concerns identity data--surname, first name, place and date of birth, nationality--the sensitivity of which is relatively limited. “It’s true that our users come to us regularly to assert their rights,” adds Reuland. “The reality is that we only have the information needed to establish their digital identity, which in particular enables them to authenticate themselves for secure online transactions. A supermarket chain offering loyalty cards to its customers manages more personal data relating to consumer habits. Many citizens, sometimes without being aware of it, share a lot of personal data spontaneously, on the Internet, on social networks.”
Trend in the number of complaints. Source: CNPD
Raising awareness, training and support
In addition to setting up and overseeing internal data management policies, the data protection officer, a position attached to the legal or compliance department, is also responsible for raising awareness and training teams to ensure that data is used in compliance with regulations. The data protection officer is also responsible for monitoring developments, whether they involve a new service or a solution that involves data processing, to ensure that they are compliant. Collecting new data or implementing new processing may involve obtaining user consent, updating the conditions of use and informing all developments. “To meet transparency requirements, you need to document the processing and ensure that the data is captured, hosted, used and protected correctly,” explains Reuland.
Security and resilience
At present, GDPR provides a foundation for the management and protection of personal data. Since then, however, the regulatory framework has expanded considerably, notably reinforcing the requirements already established in terms of information protection or in relation to the processing carried out. Dora, Nis 2, the Data Act and the AI Act are just some of the texts that data protection professionals and legal officers need to be aware of. “Our organisations have to deal with ever more numerous and intense cyber threats. In the light of our obligations, measures aimed at guaranteeing data protection and preventing any risk of leakage are becoming increasingly important,” comments Reuland.
These measures are not just aimed at personal data. For example, Dora, which aims to strengthen the operational resilience of financial players, and Nis2, which concerns the security of essential service providers, require the protection of critical data to be guaranteed. “At bank level, data is everywhere. It is necessary for most of the functions and services offered. It is therefore essential to ensure their security, confidentiality and integrity, in particular to guarantee business continuity,” says Guzman.
The framework is constantly evolving, and we have to make sure that, according to case law, we remain compliant.
Working with IT
Compliance officers must therefore be able to deal with a wide range of issues, including technical aspects. At Luxtrust, Reuland directly supervises the legal, compliance and IT security functions. “It’s important for us to be able to work hand in hand with the product and IT teams to understand the various issues linked to the new regulations that are coming in, to ensure that compliance measures are taken and that information security is guaranteed,” she explains. “When it comes to security issues, it is essential to put in place robust processes based on best practice.”
Following the ‘zero trust’ approach, for example, it is necessary to start from the principle that no user or administrator can be trusted, so as to strengthen controls and manage access and identities in order to limit risks as much as possible. “If you want to host certain data in the cloud, you also need to take steps to guarantee confidentiality, by ensuring that the data remains in Europe or by using encryption solutions,” explains Guzman. “We are extremely vigilant about these aspects. Any project can only be implemented if we obtain all the necessary guarantees.”
Beyond personal data
Since 1 January 2024, the Data Act has set the framework within which data can be shared. At a time when ecosystems are becoming increasingly interconnected, it was essential to lay down a set of rules. Today, for example, our phones and cars produce an impressive amount of data all the time. Much of it is transmitted in real time to manufacturers, application publishers and dealers, who use it for a variety of purposes. “How can this data, which is not necessarily personal data, be shared, used and processed? These regulations provide essential clarification, protecting their true owners and preventing unauthorised use,” says Reuland.
Read also
The AI Act, which has been in force since 1 August 2024 and will be fully in force in two years’ time, also provides a framework for the uses that can be made of artificial intelligence and, consequently, of the data that will feed these tools. Here too, compliance officers are in the front line to ensure that uses are compliant. To keep up with the challenges inherent in data management, teams have had to expand. At Luxtrust, Reuland tells us, the team under her supervision has tripled in five years.
An evolving framework
What’s more, although the GDPR came into force in 2018, its application still raises many questions or may be subject to various interpretations, depending on the case or context. “We have to keep an ongoing legal watch, to keep abreast of court rulings made in relation to data management and protection or sanctions imposed by supervisory authorities, such as the CNPD in Luxembourg. The framework is constantly evolving, and we have to make sure that, according to the case law, we remain compliant,” concludes Guzman.
Violation
The GDPR requires that a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data must be notified to the CNPD within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of data subjects. In 2023, 434 data breaches were reported to the CNPD, 23% more than in 2022. Roughly two-thirds (64%) of personal data breaches are caused by human error (internal non-malicious acts).
This article was written in for the of the November 2024 edition of Paperjam magazine, published on 23 October. The content is produced exclusively for the magazine. It is published on the website as a contribution to the complete Paperjam archive. .
Is your company a member of the Paperjam Business Club? You can request a subscription in your name. Let us know via