Agefi Luxembourg Janvier 2020 PAGES GRATUITES

L a société de services de confiance LuxTrust a inau- guré le 9 janvier sa filiale française enprésence d’Etienne Schneider, Vice-Premierministre, ministre de l’économie et de la santé duGrand-Duché de Luxem- bourg. LuxTrust confirme ainsi son positionnement international et la stratégie pan-européenne poursui- vie avec sonpartenaire InfoCert. En présence de ses actionnaires, parte- naires, clients et du ministre LuxTrust a inauguré sa filiale française, «LuxTrust France» située sur l’avenue des Champs Elysées au centre de Paris. La sociétéqui gère l’identiténumérique et les services de confiance de tous les citoyens et entreprises du Luxembourg s’étend ainsi au-delà des frontières et amène son expertise au marché français sur des sujets tels que la gestiond’identité numérique,ladématérialisationcomplète des processus et la signature électronique. Un choix stratégique «Nous établir à Paris est un choix straté- giquepourrépondreauxbesoinsdeproxi- mité de nos clients et partenaires français de plus en plus nombreux.» se félicite AstridClausse, directrice commerciale de «LuxTrust France». Se développer grâce aux partenaires «Si au départ le cœur de métier de LuxTrust était axé sur l’identité numé- rique et les services de confiance, nous avons depuis étendu nos solutions digi- tales afin de mieux répondre aux chal- lenges des entreprises. Ces solutions adressent notamment les probléma- tiques de gestion documentaire et de signaturesmultiples, ainsi quedegestion d’informations personnelles. L’appli- cation efficace de ces solutions ne peut se fairequ’avec l’aidedepartenaires forts et engagés que nous nous réjouissons d’avoir déjà en France.» souligne Pascal Rogiest, CEOde LuxTrust. Une table ronde sur l’identité numérique a eu lieu à l’occasion de l’inauguration avec Marco Di Luzio, CMO d’InfoCert (Italie), Kris de Ryck, CEO de itsme® (Belgique), Cédric Clément, responsable dupôlenumériquedelaCaissedeDépôts et Consignations (France) et Etienne Combet, co-fondateur de SEALWeb. Les discussions ont porté sur l’évolution de l’identité numérique et des services de confiance avec comme objectif l’interopé- rabilité des systèmes enEurope. Une société luxembourgeoise devenue européenne «LuxTrust est aujourd’hui un de cesmul- tiples facteurs qui font du Luxembourg depuisdenombreusesannéesunlieupri- vilégiépourlemarchédigitaletlesservices innovants de confiance numériques. Désormais, ce n'est plus d'une société luxembourgeoise dont on parle, mais d'une société européenne» a déclaré le Vice-Premier ministre Etienne Schneider lors de son allocution. Avecunactionnariatcomposéà50%dela société italienne InfoCert, membre du groupe TINEXTA, des bureaux ouverts à Paris et àBruxelles, LuxTrust ne cachepas son ambition de confirmer avec InfoCert et Camerfirma leur position de leader européendesservicesdeconfiancenumé- rique,toutenassurantuneprésenceetune confiancelocaledanslesgéographiesprio- ritaires, parmi lesquelles la France. LuxTrust inaugure sa filiale «LuxTrust France» à Paris Degaucheàdroite :PascalROGIEST,CEOdeLuxTrust,MarcoGOELER,SNCI,EtienneSCHNEIDER, Vice-Premier ministre, Serge ALLEGREZZA, président de Luxtrust, Martine SCHOMMER, Ambassade de Luxembourg à Paris, Frédéric TOURRET, LuxTrust ©LuxTrust By Lionel GENDARME, Advisory Partner and Shariq ARIF, Advisory Manager, Grant Thornton Luxembourg K nowing how to implement the requirements of the GDPRmay appear un- clear, as many firms have not done it to date, and struggle to figure out where to start. Since Grant Thornton has supported a num- ber of firms implement the regu- lation inmultiple sectors, this article describes a series of prag- matic guidelines on implemen- ting the GDPR. This approach is equally relevant in a largemulti- national and a small SME. How does it work? We typically start GDPR implementa- tion by performing an impact analysis. To do so we use a tool that comprises various lists of questions that are de- signed to assess the firm’s business and IT contexts and consider which GDPR requirements apply most to the firm. The answers to questions put forward enables us to rapidly identify gaps, gen- erating an overall picture on the current state of the firm’s organisational and in- formation securitymeasures in place to manage personal data protection. Cap- tions below show snapshots of the gap analysis outcome for a firm that was as- sessed as having strong information se- curitymeasures that exceed targets, but lack robust organisational measures. We then use the results of this impact analysis to define an implementation roadmap. Based on our experience, when implemented, this roadmap should at the minima address the fol- lowing requirements. Requirement 1: Be transparent on the personal data that the firm processes The GDPR requires firms to be trans- parent on theway theyprocess personal data. Personal data can be as simple as an individual’s name, or any other iden- tifier that can be used to spot them. The firm is obliged to inform these individ- uals accordingly about the rights they have on their personal data, including consultation, correction, and limiting its transfer or deletion. These rights are de- signed to give back control to individu- als on how their personal data is processed. Communication to individ- uals on processed personal data and re- lated rights is usually made at the time that the firm receives personal data from individuals. For employees this can be conveyed in their employment contract. It is also a common practice to make this communication publically available on the firm’s website. Requirement 2: Keep a register of the processes in placewithin the firm that involve personal data The GDPR re- quires firms to ensure that they collect personal data for a specific purpose. This data should be kept up to date and stored for no longer than per- mitted based upon a pre-de- termined com- mercial purpose or because the law requires it. To fulfil these duties, we strongly encourage firms to put in place a register of all processes that involve personal data. This register provides a snapshot of all types of per- sonal data processing activities admin- istered by the firm, which often pertain tomarketing, provision of services and legal obligations. This register can effectively be built and maintained using Microsoft Office in simple structures, and can be reinforced with workflows that outline how per- sonal data flows, to better visualise per- sonal data processing activities. Requirement 3: Sign data protection clauseswith the firm’s serviceproviders The GDPR requires firms to keep a solid handle on the personal data it processes and act responsibly at all times, even if it outsources some processes to third parties. This can occur when firms decide to house their personal data in data centres managed by third parties, or appoint specialist external payroll service providers to administer salaries and benefits. A firm can leverage on the register of personal data processes described above to identify third parties with which it shares personal data, and sign data protection clauseswith them. Such clausesmust outline howpersonal data is handled andprovide assurance to the firmthat thirdparties have adequate or- ganisational and information security measures inplace to guarantee that they process the firm’s personal data in com- pliance with the regulation. Should the involvement of a thirdparty lead to the firm’s personal data being transferred to countries outside of the European Economic Area that do not offer levels of protection considered equivalent by the European Commis- sion, we advocate defining additional contractual measures that provide as- surance on the way the third party will process the firm’s personal data. Requirement 4: Establish efficient or- ganisationalmeasures to address adata breach occurring within a firm It can, and it often happens that per- sonal data is breached. Abreach of per- sonal data can be something as simple as sending a mail containing personal data to a recipient who is not supposed to become aware of this personal data. It can also be a case of having an elec- tronic file corrupted that the firm is un- able to restore. It may also be a case of having one’s identity stolen such as when an employee’s inbox is hacked. Identification of a data breach can be de- tectedby a tool, butmore often is notified by individuals. Therefore, the firmneeds to raise awareness amongst staff to ex- plainwhat events can be considered as a personal data breach so that they are rap- idly escalated to the person in charge of personal data protection as described below.Thispersonisbestplacedtoassess whether the event constitutes a personal data breach and is worthy of being noti- fiedtotheCNPD.Irrespectiveofwhether the CNPD or the concerned person is in- formed, a log of all incidents needs to be kept at the firm. If the event is considered a personal data breach, then in parallel, measuresneedtobetakentolimitanypo- tential risk. We encourage firms to have anactionplaninplacefordecisionmakers at the firm to know which steps need to be taken to rapidly address the breach. Requirement 5: Have one person in charge of data protection Because the implementation of the GDPR is a continuous project, we strongly advocate to have one person in the firm that oversees it is adhered to. This person has several duties that in- clude raising awareness on the regula- tion via trainings or e-learning sessions, and being a source of advice to the busi- ness. Advice can encompass respecting the GDPRwhen implementing digitali- sationprojects that often involve thepro- cessing of personal data. It can also extend to overseeing the data protection implications inmarketing campaigns. In this instance, this person should guide the marketing team on how to ensure promotional content is only sharedwith clients that have given their consent, and are provided with the ability to unsub- scribe at any point in time. When firms proceed to practice the re- quirements outlined above, the founda- tions of the GDPR are set. The impact analysis and the requirements that fol- low, enable the firm to have a propor- tionate and practical mechanism in place to achieve GDPR compliance. By following a pragmatic approach, firms inspire confidence to relevant stake- holders that their personal data processes are carried out in a structured and responsible manner. Inaforthcomingpublication,wewilldescribepractical steps to effectively manage data breaches. Implement the GDPR - how to get started Data ProtectionProcesses andMeasures Abonnement aumensuel (journal + édition digitale) 1 an (11 numéros) = 45 € abonnement pour Luxembourg et Belgique 55 € pour autres pays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’édition papier. NOM:.................................................................................................................................................................... ADRESSE : ................................................................................................................................................... LOCALITÉ:................................................................................................................................................... TELEPHONE:................................................................................................................................................... PAYS:...................................................................................................................................................................... EMAIL:........................................................................................................................................................... - Je verse …… € au compte d’AGEFI Luxembourg à la BILLU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture:.................................................................................................................................... -N°TVA:............................................................................................................................................................. Abonnement aumensuel en ligne Si vous préférez vous abonner en ligne, rendez-vous à la page ‘S’abonner’ sur notre site Internet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi au vendredi) Recevez chaque jour les informations économiques et financières dans votre boîte email (environ 10 pages A4 en PDF) ou consulter nos newsletters en ligne sur notre site. Veuillez sélectionner la durée d’abonnement souhaitée sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous Janvier 2020 39 AGEFI Luxembourg Informatique financière