The implementation of the RGPD is perceived as positive by the French, who are increasingly interested in the protection of personal data. This heightened sensitivity can be explained by the increase in spam, commercial solicitations, hacking and data theft. How far have the banks come in implementing this policy?
Different levels of progress at different sites
The RGPD particularly engages banking institutions, which collect highly sensitive data in both paper and digital formats.
With regard to personal data collected in digital format, banks did not wait for this text to come into force to combat fraud, as the RGPD merely reinforces a pre-existing framework imposed by the CNIL and provides for a generalization of users' rights. With regard to personal data collected in paper format, banks are required to destroy it as soon as it is no longer useful for the purposes for which it was processed, collected or stored. On this point, very few, if any, banks communicate.
In its annual survey on data governance and protection, Novaminds shows that the level of RGPD compliance is progressing, but the work is far from complete. The consultancy firm reports that most establishments have already defined data protection policies, organized the Data Privacy channel, appointed a Data Protection Officer (DPO) and raised employee awareness via training initiatives. However, the level of progress on the inventory is more heterogeneous, with some banks having yet to industrialize and equip their systems. Novaminds draws a similar conclusion with regard to the compliance of IT assets and the deployment of privacy by design or the management of requests for the exercise of personal rights.
Consideration of the DPO's position within the company
The appointment of a data protection officer is one of the flagship obligations of the RGPD. This central player's role is to put the individual's fundamental rights and freedoms back at the heart of decision-making. He or she must thus raise customer awareness and give them control over the use of data concerning them.
In its study, Novaminds notes that during this period of RGPD implementation, in several banks, the DPO may have had to intervene operationally in the deployment of compliance processes, and warns of the existence of a possible "conflict of interest situation". "This will raise questions about his profile, his positioning within the company, and is bound to prompt broader reflection on the respective roles of Data Privacy players mobilized as 1st and 2nd lines of defense," says Gaël Duval, Director at Novaminds, in an interview with Revue Banque.