GDPR, chair Values and policies of personal information

Personal data: How the GDPR is changing the game in Europe

The new European regulation on personal data will become officially applicable in May 2018. The regulation, which complements and strengthens a European directive from 1995, guarantees unprecedented rights for citizens, including the right to be forgotten, the right to data portability, and the right to be informed of security failures in the event of a breach involving personal data… But for these measures to be effective, companies in the data sector will have to be in agreement. However, they have little time to comply with this new legislation that, for most companies, will require major organizational changes. Failure to make these changes will expose them to the risk of heavy sanctions.

 

With very little media coverage, the European Union adopted the new General Data Protection Regulation (GDPR) on April 27, 2016. Yet this massive piece of legislation, featuring 99 articles, includes plenty of issues that should arouse the interest of European citizens. Because, starting on May 25, 2018, when the regulation becomes officially applicable in the Member States, users of digital services will acquire new rights: the right to be forgotten, in the form of a right to be dereferenced, an increased consideration of their consent to use or not use their personal data, increased transparency on the use of this data… And the two-year period, from the moment the regulation was adopted to the time of its application, is intended to enable companies to adapt to these new constraints.

However, despite this deferment period, Claire Levallois-Barth, coordinator of the IMT chair Values and policies of personal information (VPIP) assures us that “two years is a very short period”. The legal researcher bases this observation on the work she has carried out among the companies she interviewed. Like many stakeholders in the world of digital technology, they find themselves facing new concepts introduced by the GDPR. Starting in 2018, for example, they must ensure their customers’ right to data portability. Practically speaking, each user of a digital service will have the option of taking his or her personal data to a competitor, and vice versa.

Claire Levallois-Barth, coordinatrice de la chaire VPIP.

Claire Levallois-Barth, coordinator of the chair Values and policies of Personal information

Two years does not seem very long for establishing structures that will enable customers to exercise this right to data portability. Because, although the regulation intends to ensure this possibility, it does not set concrete procedures for accomplishing this: “therefore, it is first necessary to understand what is meant, in practical terms, by a company ensuring its customers’ right to data portability, and then define the changes that must be made, not only in technical terms, but also in organizational terms, including the revision of current procedures and even the creation of new procedures,” explains Claire Levallois-Barth.

The “privacy by design” concept, which is at the very heart of the GDPR, and symbolizes this new way of thinking about personal data protection in Europe, is just as restricting for organizations. It requires the integration of all of the principles that govern the use of personal data (principles of purpose, proportionality, duration of data storage, transparency…) in advance, beginning at the design phase for a product or service. Furthermore, the regulation is now based on the principle of responsibility, which implies that the company itself must be able to prove that it respects this legislation by keeping updated proof of its compliance. The design phases for products and services, as well as the procedures for production and use must therefore be revised in order to establish internal governance procedures for personal data. According to Claire Levallois-Barth, “for the most conscientious companies, the first components of this new governance were presented to the executive committee before the summer of 2016.

 

Being informed before being ready

While some companies are in a race against time, others are facing problems that are harder to overcome. During the VPIP Chair Day held last November 25th, dedicated to the Internet of things, Yann Padova, the Commissioner specializing in personal data protection at the French Energy Regulatory Commission (CRE), warned that “certain companies do not yet know how to implement the new GDPR regulations.” Not all companies have access to the skills required for targeting the organizational levers that must be established.

For example, the GDPR mentions the requirement, in certain cases, for a company that collects or processes users’ data, to name a Data Protection Officer (DPO). This expert will have the role of advising the data controller—in other words, the company—to ensure that it respects the new European regulation. But depending on the organization of major groups, some SMEs will only play a subcontracting role in data processing: must they also be prepared to name a DPO? The companies are therefore faced with the necessity of quickly responding to many questions, and clear-cut answers do not always exist. And another reality is even more problematic: some companies are not at all informed of the contents of the GDPR.

Yann Padova, commissaire à la CRE.

Yann Padova, CRE Commissioner

Yann Padova points out that before they can be ready, companies must be aware of the challenges. Yet he recognizes that he “does not see many government actions in France that explain the coming regulations.” Joining him to discuss this subject on November 25, lawyer Denise Lebeau-Marianna—in charge of personal data protection matters at the law firm of Baker & McKenzie—confirmed this lack of information, and not only in France. She cited a study on companies’ readiness for the GDPR that was carried out by Dimensional Research and published in September 2016. Out of 821 IT engineers and company directors in the data sector, 31% had heard about the GDPR, but were not familiar with its contents, and 18% had never heard of it.

 

Without sufficient preparation, companies will face risks… and sanctions

For Claire Levallois-Barth, it seems obvious that with all of these limits, not all companies will comply with all aspects of the GDPR by 2018. So, what will happen then? “The GDPR encourages companies to implement protection measures that correspond to the risk level their personal data processing activities present. It is therefore up to companies to quantify and assess this risk. They then must eliminate, or at least reduce the risks in some areas, bearing in mind that the number of data processing operations is in the tens or even hundreds for some companies,” she explains. What will these areas be? That depends on each company, what it offers its users and its ability to adapt within two years.

And if these companies are not able to comply with the regulations in time, they will be subject to potential sanctions. One of the key points of the GDPR is an increase in fines for digital technology stakeholders that do not comply with their obligations, especially regarding user rights. In France, the CNIL could previously impose a maximum penalty of €150,000 before the Law for a Digital Republic increased this amount to €3 million. But the GDPR, a European regulation with direct application, will repeal this part of French regulation in May 2018, imposing penalties of up to €20 million euros or 4% of a company’s total annual worldwide turnover.

The new European Committee for data protection—currently called G29—will be in charge of organizing this regulation. This organization, which combines all of the European Union CNILs, has just published its first three notices on the regulation issues that require clarification, including portability and the DPO. This should remove some areas of uncertainty surrounding the GDPR, the biggest of which remains the question of the GDPR’s real, long-term effectiveness.

Because, although in theory the regulation proposed by the EU is aimed at better protecting users’ personal data in our digital environment, and at simplifying administrative procedures, many points still seem unclear. “Until the regulation has come into effect and the European Commission has published the implementing acts presenting the regulation, it will be very difficult to tell whether the protection for citizens will truly be reinforced,” Claire Levallois-Barth concludes.

 

 

Marius Preda

Marius Preda

Télécom SudParis | #Augmented reality #Multimedia #3D

[toggle title=”Find all his articles on I’MTech” state=”open”]

[/toggle]

Carnot TSN, Scalinx, electronics

Scalinx: Electronics, from one world to another

Belles histoires, bouton, CarnotThe product of research carried out by its founder, Hussein Fakhoury, at the Télécom ParisTech laboratories (part of the Télécom & Société numérique Carnot institute), Scalinx is destined to shine as a French gem in the field of electronics. By developing a new generation of analog-to-digital converters, this startup is attracting the attention of stakeholders in strategic fields such as the defense and space sectors. These components are found in all electronic systems that interface analog and digital functions, whose performance depends on the quality of the converters they use.

 

We live in an analog world, whereas machines exist in a digital world,” Hussein Fakhoury explains. According to this entrepreneur, founder of the startup Scalinx, all electronic systems must therefore feature a component that can transform analog magnitudes into digital values. “This converter plays a vital role in enabling computers to process information from the real world,” he insists. Why is this? It makes it possible to transform a value that is continually changing over time, like electrical voltage, into digital data that can be processed by computer systems. And designing this interface is precisely what Hussein Fakhoury’s startup specializes in.

Scalinx develops next generation analog-to-digital converters. Based on a different architectural approach than that used by its competitors, the components it has developed offer many advantages for applications that require a fast digitization system. “By using a new electronic design for the structure, we provide a much more compact solution that consumes less energy,” the startup founder explains. However, he points out that the Scalinx interfaces “are not intended to replace the historical architectural in every circumstance, since these historical structures are essential for certain applications.

Hussein Fakhoury, the founder of Scalinx

These new converters are intended for specific markets, in which the performance and the efficient use of space are of upmost importance. This is the case in the space electronics, defense, and medical imaging sectors. For this last example, a prime example is ultrasound. While today we can see the fetus in a woman’s womb in two dimensions using ultrasound technology, medical imaging is increasingly moving towards 3D visualization. However, to transition from 2D to 3D, probes must be used that use more converters. With the traditional architectures, the heat dissipation would become too great, and would not only damage the probe, but could inconvenience the patient.

And the obstacles are not only of a technical nature; they are also strategic. The quality of an electronic system depends on this analog/digital interface. Quality is therefore of utmost importance for high-end systems. Currently, however, “the global leaders for high-performance components in this field are American,” Hussein Fakhoury observes. Yet the trade regulations, as well as issues of sovereignty and confidentiality of use can represent a limit for European stakeholders in critical areas like the defense sector.

 

A spin-off from Télécom ParisTech set to conquer Europe

Scalinx therefore wants to become a reference in France and Europe for converters intended for applications that cannot sacrifice energy consumption for the sake of performance. For now, the field appears to be open. “Few companies want to take on this strategic market,” the founder explains. The startup’s ambition seems to be taking shape, since it benefited from two consecutive years of support from Bpifrance as the winner of the national i-Lab contest for business start-up assistance in 2015 and 2016. It also received an honor loan from The Fondation Télécom in 2016.

Scalinx’s level of cutting-edge technology in the key area of analog-digital interfaces can be attributed to the fact that its development took place in an environment conducive to state-of-the-art innovation. Hussein Fakhoury is a former Télécom ParisTech researcher (part of the Télécom & Société numérique Carnot institute), and his company is a spin-off that has been carefully nurtured to maturity. “Already in 2004, when I was working for Philips, I thought the subject of converters was promising, and I began my research work in 2008 to improve my technical knowledge of the subject,” he explains.

Then, between 2008 and the creation of Scalinx in 2015, several partnerships were established with industrial stakeholders, which resulted in the next generation of components that the startup is now developing. NXP — the former Philips branch specialized in semiconductors—France Télécom (now Orange) and Thalès collaborated with the Télécom ParisTech laboratory to develop the technology that is today being used by Scalinx.

With this wealth of expertise, the company is now seeking to develop its business and acquire new customers. Its business model is based on a “design house” model, as Hussein Fakhoury explains: “The customers come to see us with detailed specifications or with a concept, and we produce a turnkey integrated circuit that matches the technical specifications we established together.” This is a concept the founder of Scalinx hopes to further capitalize on as he pursues his ambition of European conquest, an objective he plans to meet over the course of the next five years.

 

[box type=”shadow” align=”” class=”” width=””]

The TSN Carnot institute, a guarantee of excellence in partnership-based research since 2006

Having first received the Carnot label in 2006, the Télécom & Société numérique Carnot institute is the first national “Information and Communication Science and Technology” Carnot institute. Home to over 2,000 researchers, it is focused on the technical, economic and social implications of the digital transition. In 2016, the Carnot label was renewed for the second consecutive time, demonstrating the quality of the innovations produced through the collaborations between researchers and companies. The institute encompasses Télécom ParisTech, IMT Atlantique, Télécom SudParis, Télécom, École de Management, Eurecom, Télécom Physique Strasbourg and Télécom Saint-Étienne, École Polytechnique (Lix and CMAP laboratories), Strate École de Design and Femto Engineering.[/box]