Personal data : an enduring misunderstanding

A great deal of enterprises consider that the data they collect and store are their « property ». Regarding personal data, of course it's not true.

As a matter of fact, in the data world, you must distinguish the « container » from the « content ». Companies own the containers and processings, but the contents are and remain the full and whole property of those who are at the origin of the data.

The consentments to use personal data granted to companies are limited in time and in purpose; in no case do they grant a proprietary right. In this sense, the data can be likened to software licenses : their use is not a « transfer » of ownership.

Rights of individuals

GDPR requires companies to respect the rights of individuals (aka data subjects) : right of access, right of rectification, right to object, right to be forgotten, etc. In this perspective, it’s a matter of applying basic rules of « good relations » between an individual (« owner » of the data) and a company (temporary « renter » of the data); the latter must manage the goods they use with « due diligence ».

Risks for the enterprise

As owners of the data, the concerned individuals rightfully expect the « renters » to know at the very least where the data are stored and what use is made of them. Furthermore, as data manager, the company must maintain quality and ensure protection of the data.

owner keys photo

Not knowing the location and uses of personal data or, worse, a failure in one of the other obligations represents a potential danger for the enterprise for the simple reason that the owners may exercise their rights at any time and the company has only 72 hours to respond.

In order to properly assess the risks involved, it is necessary for companies to identify the origin and the consequences.

  1. The origin

The « personal data » concept aimed by GDPR is very broad in its definition « any information relating to an identified or identifiable natural person » as it is in its scope of use : structured databases, electronic documents, websites, images, sounds, printed documents, etc.

The size of the field of investigation for the implementation of GDPR makes it essential to establish the list of personal data and their multiple locations in the different areas of use.

  1. The consequences

These identification and location activities must be rigorously held in order to be the most exhaustive possible. For example, the non-identification of a piece of data goes against the right of access and the lack of knowledge of the location prevents the application of the rights of rectification and to be forgotten.

Generally, non-compliance to the rights of individuals has these notable effects :

  • A break of « trust » between the company and the concerned individuals leads to  :
    1. Loss of customers and loss of turnover
    2. Investor misappropriation
    3. Concern in the staff
    4. A sentiment of fear in suppliers
  • The triggering of the tooled and special controls of the National Authority resulting in :
    1. The publication of notices of non-compliance
    2. The restriction on use
    3. Heavy, even very heavy administrative penalties
  • Legal proceedings for compensation claims for the individuals concerned in the context of a « class action » initiated and conducted by specialized law firms
  • Possible criminal convictions for the head of the company

On the contrary several studies have shown that respect of the rights and obligations created under the GDPR is a real opportunity for companies. According to a Boston Consulting Group [1], study, by inspiring customer confidence, the volume of collected data can increase by a factor of 5 to 10, creating new opportunities : laying the foundation of the relationship with customers by knowing them better, maintaining and increasing their confidence, developing a marketing relationship more adapted and in line with the expectations of consumers. The results of this study are confirmed by a Bizreport [2] survey according to which 78% of consumers share information with brands that give them control over how they are contacted. This approach of personalization and relational proximity aims at customer loyalty and can be compared to the « small neighborhood shopkeeper » who knows his customers well, cares for them with a certain tenderness and casually collects confidences.

The tooled solutions

REVER, is a software publisher specialized in data management and governance which offers a range of specialized products in the domains of personal data identification, finding and extraction in application databases, electronic documents and sounds. These tools are combined in the RGS software suite (Real GDPR Solution) that allows companies to be compliant with GDPR and to serenely answer requests from national authorities (processing register) and concerned individuals (personal records).

banner white paper gdpr




Dominique Orban de Xivry