At the centre of much news and controversies, the use of personal data is an issue known to all. The introduction in 2016 of the General Data Protection Regulation (GDPR) by the European Union has nevertheless made it possible to provide a legal framework within which both private and public companies are subject to rights and obligations.
While seemingly simple in appearance, a rigorous application of a legal text can quickly come face to face with the realities of practice. How can an article, a paragraph or conditions be translated into concrete actions that guarantee rights and freedoms to a company's employees, as well as customers? How do you leverage this data to make it an added value for clients?
Following a first collaboration with the CNPD (National Commission for Data Protection - 2017) to extract legal requirements relating to GDPR, Stéphane Cortina and Philippe Valoggia, researchers in the IT for Innovative Services department at LIST, are developing a reference model from which it is possible to assess (in accordance with the ISO/IEC 33000 series of standards) the technical and organisational capacity of a company to protect personal data.
"This model is goal-oriented. In other words, it is used to assess whether the technical and organisational measures implemented by a company to achieve compliance are achieving the expected results. It's a goal-oriented model," explains Stéphane. On this basis, the researchers are able to analyse strengths and weaknesses observed, and also structure improvement recommendations with a view to creating a compliance plan.
In collaboration with POST, Stéphane and Philippe's team went out to meet with employees to collect data on their business practices, from points of sale to offices. An ambitious exercise considering the diversity of practices across POST mail services, finance, and telecom. "In this way, we confront the model with field reality, while offering companies an assessment of their ability to protect personal data. For example, we were able to help them assess their ability to react in the event of data breach, or their ability to satisfy the exercise of their rights by their clients.", says Stéphane.
With a workshop approach this time, the researchers were also able to help the Caisse Nationale de Santé (CNS) in the definition and implementation phase of their processes. "The objective was to assess whether the operational measures they wanted to implement, or those already in place, would indeed comply with the various legal requirements of GDPR through our model. ", explains Philippe.
In a test with a professional travel firm, LIST model helped to go beyond the simple notion of GDPR compliance and generate awareness of Data Economy opportunities. "Because of their smaller size, we were able to take the analysis one step further by identifying the opportunities they could have in terms of new business, added value for their customers, based on the exploitation of their data. ", explains Philippe. As the researchers point out, many companies exploit their data to the minimum in order not to take any risks with regard to European regulations. However, a thorough assessment of their internal processes can guarantee compliance, but also help them develop new services that benefit their customers.
As part of this innovative project, Stéphane and Philippe wish to validate their model to guarantee its completeness and usability. To do so, the researchers want to conduct more case studies with Luxembourg companies. "We have planned 5 practical cases and are therefore in discussion for the realisation of the last two. Our goal is to be able to test all the processes included in our model through a global case study.", explains Stéphane.
LIST ambitions do not stop at the model. For data protection to be a vector of the digital transformation of companies, it is necessary to control the costs incurred by the implementation of their regulatory compliance. To do so, LIST intends to take advantage of the Data Analytics Platform (DAP) to benefit from Artificial Intelligence to develop easy-to-use and cost-effective data protection assessment solutions.
In addition, LIST continues its efforts to support companies in the development of new services based on personal data exploitation. To this end, an internal project is working to clarify the design of these services based on "Data Protection by Design and by Default" principle.