The Structure of Data Governance in Enterprises
Data governance refers to all the organisations and procedures put in place within a company to control the collection and use of data. According to a study conducted by Reach Five and Opinion Way, 78% of French companies harvest data to personalise the customer experience. However, simply collecting data is not enough to improve competitiveness: companies need to learn how to use this data in an optimal way. This collection is subject to restrictions such as the respect of users’ privacy. Therefore, in their data governance process, it is necessary for companies to take into account the limitations posed by both national and European legislation.
Personal data refers to all information that makes it possible to identify a natural person. France was a forerunner in the supervision of its citizens’ data. As early as 1978, it introduced legislation to protect users, even though at that time the Internet was foreign to the general public. The French law of 6 January 1978 has established the principle of freedom to create nominative files and to process data by computer, but this freedom has its limits: the collection of data must respect the principle of fairness and transparency. This means that companies are obliged to inform the persons concerned of the compulsory or optional nature of their replies, of the list of legal persons to whom their replies are addressed and of the consequences of these replies. However, if the absence of a response leads to an inability to access the proposed service, can we still consider that the user has a choice in the disclosure of his data?
One of the fundamental notions of this law is the right of opposition and rectification of the information collected. This issue has been the subject of litigation and the courts are trying to enforce this rule. Through a judgment of 14 March 2006, the criminal chamber of the french court of cassation considered that : « It is a collection of personal data to identify electronic addresses and to use them, even without registering them in a file, to send electronic messages to their holders. It is unfair to collect, without their knowledge, the personal e-mail addresses of natural persons on the public space of the Internet, as this process impedes their right of opposition. ». It can be seen that data is not treated as a commodity that can be exchanged, but rather as the property of an individual who must give his or her consent to its use and to its knowledge.
The 1995 Directive and the RGPD Regulation
In reaching this solution, the judges relied on the Directive of 7 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which led to the amendment of the law of 6 January 1978. However, the aim of this European legislation remains the same as the former French legislation: to regulate data flows and protect users’ information.
To comply with these rules, companies must implement a clear and precise data collection policy. First, it is important to consider the methodology to be adopted in the data collection process. This is essential to ensure compliance with the regulations and effective use of the data. To this end, a data management plan should be drawn up to define the data collection methods and organisational systems, as well as the legal and ethical framework surrounding this information: how will the data be shared? How will you protect the identity of your users?
In addition, it is necessary to define precisely how the data will be stored in order to put in place a security system to prevent data leakage. As a company you need to have systems in place to protect against breaches that could lead to the disclosure of user information and how you will react if this happens. Anticipating the risks and your attitude to them is paramount: knowing that you are prepared in case of an incident gives users confidence.
Finally, it is imperative that you, as a company, ensure the quality of the data. How can you ensure that your data is reliable? This control is achieved by implementing monitoring and processing methods. Poor quality or badly structured data is a security risk because it will be more difficult to determine what data is at risk and what the level of risk actually is. How to monitor and determine what data is at risk? The implementation of data governance tools is a necessity to manage data and to determine the areas at risk.
Some states did not regulate data right away and waited for European intervention before putting in place rules on this matter, such as Luxembourg, which only put in place legislation in 2005, in order to transpose the European directive 2002/58/EC (since repealed) on privacy and electronic communications. Subsequently, 2 laws were enacted on 1th august 2018 : the Act on the organisation of the National Commission for Data Protection and the general data protection regime and the law on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of national security. In the end, however, it can be seen that this regulation is essentially derived from European rules: it is mainly these that provide the framework for data protection.
Today, good management and protection of user data is fundamental to a company’s image. The giant Facebook is proof of this: in April 2021 data of 533 million Facebook users leaked . Facebook stated that the data came from an illegal collection that exploited a security flaw discovered and fixed in 2019. This case does not improve the giant’s image in terms of data protection. This is not the first time Facebook has faced a disclosure of its users’ information. In 2018, Cambridge Analytica The UK and US press revealed a massive misuse of users’ personal data for political purposes. This case illustrates the extent to which individuals’ personal information can play a role in shaping behaviour.
Unfortunately, the provision of personal information is nowadays indispensable when you want to surf the Internet, but how can you protect yourself as a user? You have to be vigilant. In the case of Facebook, users were aware of the data leak, but in many situations individuals do not know that their data has been disclosed, so when you receive an SMS, an email, you should check who the sender is. If the message asks you to log in to your personal space, never click on the link directly but type the address of the site into your bank.
Introduction of GDPR in Data Governance
The European Union has taken action to ensure that users of internet platforms have their data protected via the regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data which repealed the 1995 Data Protection Directive. First of all, the GDPR has placed an emphasis on consent and transparency, these two principles are at the heart of the data protection rules: ‘The principle of fair and transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes’. It is on this basis that companies must inform users about how their data will be processed: no operation can be carried out without the consent of the owner of the data. The question arises as to who should prove consent. However, it must be clear and unambiguous.
The RGPD grants new rights: the right to data portability implies that it is possible to recover one’s data and transfer them to a third party. The aim here is to give people back control over their data, and to partially compensate for the asymmetry between the data controller and the data subject.
For the first time, the European Union has taken specific measures for minors under the age of 16: the child must be able to understand the information on data processing and the consent of those with parental authority must be obtained.
This regulation offers ever greater guarantees to users, with in particular a simplification of procedures in the event of prejudice, with in particular the introduction of class actions. In addition, the RGPD institutes a code of conduct to ensure the proper application of the regulation. In particular, this code requires cloud computing providers in Europe to put in place physical means of safeguarding and processing data on European territory. Microsoft has taken a public position : data of Europeans will remain within the European territory.
The broad scope of the data protection regulation was seen during the covid-19 crisis. The French CNIL had to intervene to remind employers of their obligations regarding data collection. The sensitive nature of data relating to a person’s state of health justifies the special protection afforded to it: but how to reconcile respect for privacy and personal security? In principle, the CNIL states that: “the employer does not have to organise the collection of health data from all employees“. The employer is only allowed to take individual action against an employee if the employee himself reports that he had been exposed or had exposed some of his colleagues to the virus.
The GDPR has sought to address this issue more comprehensively by introducing 2 exceptions to allow disclosure of an individual’s medical data:
- Employees self-report their situation
- The need for a health professional to process this data for the purposes of preventive or occupational medicine, (health) assessment of the worker’s working capacity, medical diagnoses etc.
The Luxembourgian position
Like the French authorities, the Luxembourg National Commission for Data Protection has intervened, notably by issuing opinions on draft laws concerning measures to combat the Covid-19 pandemic. In its opinion on the proposed law n°7808 on the Covid-19 screening strategy in structures for vulnerable persons and in support and care networks.
The CNPD states that the processing of data carried out in the context of proposed law no. 7808, which provides for the obligation to carry out Covid-19 screening tests for external service providers and visitors to certain structures, must “rely on one of the lawfulness bases listed atArticle 6 of the GDPR as well as meeting one of the conditions referred to in article 9, paragraphe (2), of the GDPR insofar as data relating to the health of data subjects may be processed. ».
Moreover, the CNPD’s reflection is interesting because it raises issues that are not related to data protection but that will have to be framed: “The CNPD wonders, in terms of labour law, about the consequences of a refusal by an employee or an external service provider to submit to such obligations. Will the employee have to work at another job? What will be the consequences for an external service provider when the organisation is not its employer?
The CNPD concludes by stating that it cannot comment further on the data protection issues as “the text under opinion would not meet the requirements of clarity, precision and predictability that a legal text must meet“. This response demonstrates the importance of this institution, and of supervisory institutions in general, because it is thanks to it that the legislator was able to realise that it did not meet the criteria of clarity and intelligibility of the law required by European texts.
We can see that the protection of our data and its legislation is a very broad area. Regulation will have to continue to adapt as new technologies evolve. Companies need to check the compliance of their data processing policies with current legislation and users need to be vigilant about how they disclose their personal information.