The GDPR is not merely an IT problem, neither is it merely a legal problem …
Our core business within Khagan is historically in Banking and Insurance. As in Healthcare, personal data is particularly sensitive in both industries. Our clients are companies of all sizes. They asked us what we are proposing to support them in their GDPR implementation and that is why we have decided to deal pragmatically and quickly with what is seen as one constraint more by many.
We could have written a positive note about why the GDPR is a good initiative. But given that companies must focus on their business and already drown under new constraints and regulations, we simply limited this paper to our vision of the GDPR implementation.
GDPR is not an IT subject
More than half of the articles we see on the subject are driven by IT integration services companies, or security vendors who are very effective at making the company IT security watertight and hence protecting all of its data. It’s good, but unfortunately somewhat reductive. In the best case there will be a classification of the data of the company, but that will leave gaps open for any control by a data protection authority.
GDPR is not a legal issue
A lot GDPR related articles present a contractual vision of the regulation. These articles often start by frightening you and showing everything that you do wrong to push you in only reviewing your internal and external contractual documents. They sometimes suggest that some additional registers be put in place.
The actions such articles suggest are necessary and in accordance with the demands of GDPR. GDPR is a distorting magnifier of the wrong habits taken by most of us in our training and professional molds respectively: the engineers take refuge in a technical comfort zone when the lawyers find refuge in the comfort of contracts. In both cases, the coherence brought by the governance is lacking. Moreover, the alignment with the organization’s strategy is often lacking.
The person in charge of the GDPR is a rare bird
The Article 37(5) of the GDPR, explains that the Data Protection Officer (DPO) “shall be selected on the basis of professional skills and, in particular, its expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.
Although Article 37(5) does not specify the skills that should be considered when appointing the DPO, DPO’s must have expertise in national and European data protection laws and practices and an in-depth understanding of GDPR. It can also prove to be helpful if the DPO has gone through a specific training certified by the authorities.
Understanding of the business and of the organization of the controller is also a requirement. The DPO should also have a good understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.
In the case of a public authority, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization.
It is important to understand that there are only self-proclaimed experts in GDPR because there is no training duly validated by the control authorities. The authorities are themselves in the process of ramping up and had not the time, yet, to certify trainers. Nowadays, we notice that, with two to five days of training, you can claim to be a certified DPO.
The Khagan approach on the GDPR
Khagan leverages its banking and insurance expertise. In these industries, GDPR is a “non-event” as most of the underlying concepts have always been applied. All our consultants faced a very stringent and secure management of the IT systems and the data, be it from an internal or an external point of view.
As we have always done, we manage the GDPR with a pragmatic governance approach that allows you and your partners to soundly face an audit by the regulator or any internal or external complaint. Our implementation approach uses a set of documents that you can fit to your needs. The set mainly includes:
- A checklist and methodology with an introduction to the topics to be covered and an explanation of the methodology,
- Useful procedures to implement in your company (customer requests, recruitment …)
- A list of communications to put in place
- Forms and documents to support your GDPR path (decisions taken, impact assessment, report to the supervisory authority)
- A template for the data inventory to know, amongst others, where each information is located
- One empty process register and another already filled in to allow you to save time during the implementation
- Several contractual clauses already drafted to append to your different contracts
We also propose an outsourced-DPO service because we know that many companies do not have audit and control staff to independently manage the GDPR process.
Arnaud BRUN & Jean-Christophe MATHONET
My job has been about promoting business in technology intensive environments. I manage and energize large teams to go beyond their own expertise and drive them to success in international environments. To achieve this, I use the experience gained in the telecommunication and broadcasts industries where I acted both as business manager and business unit developer.
My strengths are in presales & project management, GDPR, cyber security, identity & network management, and all around business development.
+32 493 36 62 15
Co-Founder & Partner
My experience as CFO and CRO, Board Member in financial services, banking and insurance, allows me to cover a wide range of topics: general management of entities, Risk and finance management, corporate taxes, supervision of IT and operations, accounting, budgeting, creation and restructuring of legal structures, regulatory reporting, acquisition of companies, operational statistics, and management accounting.
My strengths are in Finance and Risk Management
+32 475 28 84 23