Can you tell us what the Global Data Protection Regulation (GDPR) is and what impacts this European law will have for Worldline and all companies in general?
Firstly, the GDPR is the most important change in terms of data privacy regulation in 20 years and it will come into force on May, 25th 2018. It is really the first European data-focused law as only directives were established in the past and had to be translated into national laws by member states. This European law will harmonize data protection law across Europe. The GDPR focuses on data subjects’ individual rights and transparency related to data usage. Furthermore, it emphases the inherent risks for data subjects linked to the processing of personal data. The GDPR is changing the game in that regard as all member states, and companies operating in these countries and all companies processing European citizens’ personal data, will have to adhere to this law and protect data subjects’ rights. Finally, it brings a different approach to data protection by introducing the concept of privacy by design and by default and making it into a law.
Worldline did not wait for the GDPR to handle data protection at the utmost level as our business activities require it intrinsically. We were already doing it, this law is now formalizing it as an obligation. That said, my recent nomination to the newly created Global Data Protection Officer (DPO) role within the company can be, to some degree, attributed to the GDPR. As said previously, Worldline has been taking care of data protection on all levels for many years and this law gave us the opportunity to coordinate our data protection related actions across the company and to create a community of Data Protection Officers across our geographies.
As the Global DPO, what is your role and missions and what action plans are you managing in order for Worldline to be a GDPR-compliant company?
As mentioned earlier, Worldline has established a community of DPOs, each with their own business scope and jurisdiction. As the Global Data Protection Officer, I am firstly “primus inter pares”, meaning that I head this community of individuals who are very enthusiastic about moving forward and collaborating together on this topic. It is important to note that a DPO is, first and foremost, a consultant for management, focusing on creating awareness around data protection issues and providing the right level of training throughout the company.
Currently, our DPO community is working, in program mode, on a series of internal initiatives, to be completed by the time the GDPR goes into effect. These initiatives include adapting our policies, performing an inventory of all the data processing Worldline performs as part of its business and keeping track of all legal implications and collaborating with our legal experts on these matters, among others. In this context, we also work with the Atos Group to get support, knowledge and material to back our multiple actions. One of these key helpful materials is Atos’ Privacy Impact Assessment (PIA).
The DPO community is also involved in the company’s CSR strategy to some extent. For example, one of our TRUST 2020 program’s key objectives is to reach 100% of our critical processing covered by said PIA. And this is just the tip of the iceberg when it comes to the Privacy Impact Assessment as it is a key tool in the inventory of all our processing we are currently conducting in order to minimize our customers’ risks when it comes to data protection.
Worldline is known for connecting and securing transactions between different parties (banks, corporations, governmental entities…). How will Worldline support its clients in the context of the protection of personal data and transactions in all business aspects?
Besides the fact that this is mandatory by law, we have to fulfill our ongoing obligations to our customers and, in turn, they have to do the same for their end customers. Worldline has always been a proponent of staying ahead of regulations and a key part of our client value proposition is making sure our clients are compliant with the law and all regulations. Additionally, while digitization and digital transformation bring new opportunities for our clients and for the end users, potential threats have also increased. This is why another key element of our value proposition is the enhanced security we bring to this digital world.
As previously discussed, Worldline’s business activities, notably in payments and e-Health transactions, require a specific attention to data protection, which means that we were, in some way, already prepared for parts of the GDPR even before it was announced. For example, we are PCI DSS (Payment Card Industry Data Security Standard) certified, a certification without which Worldline could not operate as a card payment processor. With this ongoing attention to data protection in all our solutions, we can already offer solutions such as identity management with biometrics allowing our clients to secure their strategic assets but also GDPR-compliant solutions such as our e-identity, e-safe and massive push mail solutions. Worldline also has a strong experience in data analytics to support its customers in data classification as requested by the new rules.
How should businesses prepare for these changes?
In my opinion, it is first essential for businesses to know about and understand these obligations. More than that, it is of paramount importance that businesses have a good comprehension of the risk-centric approach that is introduced by the GDPR. They should compare said obligations with what they have been doing in the past, transpose them in the context of their activities and adapt their processes as needed in order to be fully compliant.
Finally, new regulations often arouse new opportunities beyond compliancy constraints. According to you, is it going to be the same with the GDPR?
Indeed, the GDPR is like all other regulations in the sense that it is sure to bring its fair share of new opportunities. We have already discussed how we plan to help our customers reach GDPR compliancy with our solutions but it goes beyond that. Worldline also works closely with them, almost in a consultant capacity, to perform an inventory of their portfolio, their business and their processes in order to ensure data security and privacy. We work hand-in-hand with our customers, solution-wise and process-wise, when it comes to what we are delivering in terms of services or products. We are learning a great deal from our internal inventory and we plan to use these key learnings, and parts of our framework, in a way that is adapted to our customers and their business activities to help them in the context of the GDPR.