Among all the questions that businesses are asking themselves before the EU General Data Protection Regulation (GDPR) goes into effect in May, the first is most likely: will we really see fines of 4% of annual revenue? And if so, who will be first? Beyond highlighting the confusion that could prevail for many business owners on this subject, these questions should push decision makers to go further in considering the thorny question of division of responsibility between clients and service providers in this new GDPR world.
As Co-President of computer science school Syntec Numérique and President of developer Saaswedo, I have been, for a few months now, well situated to observe that many stakeholders are lost when considering this question of the division of responsibilities, while large companies are rapidly undertaking their GDPR compliance upgrade. Of course, they will be the ones who will be targeted first, and potentially sanctioned. But the CNIL (French Data Protection Authority) will also be able to inspect subcontractors to verify that they are in compliance with their own requirements. Article 82 of the GDPR is very precise on this subject: subcontractors must be able to protect themselves while being clear on how to adhere to these requirements.
While data is key in more and more business models, the CNIL calls for vigilance on the subject of subcontracting in its recommendations on the protection of personal data. Developers are directly responsible for the data they process (HR management, clients, etc.). In certain cases, they can also be subcontractors when they process customer data – which doesn’t exempt them from responsibility. “Personal data communicated to or managed by subcontractors must be processed with security guarantees,” states a practical guide from the CNIL. The CNIL also published a guide on this subject in light of the regulation. In the context of GDPR, it is at once a question of systems security, privacy of data, and documentation on data usage, which is a major concern for software developers. The developers also have an obligation to advise their clients, as some are prepared to go further than GDPR requirements, while others would prefer to not to be concerned with such constraints.
Thus, software developers, including myself here at Saaswedo, are willingly modifying their products to be in compliance with security requirements in terms of password management, for example, or privacy by design, with regard to data processed and logged precisely. We have set up an accurate system of “tracing” usage of the data that passes through our software. However, some of these decisions can create friction with clients! One can already hear the protests of those who find out that the SSO passwords they created for their users in an SaaS model aren’t sufficiently secure… if the security culture were widespread enough, surely there wouldn’t be GDPR.
Unfortunately, the problems go well beyond these examples. The temptation is in fact considerable for certain big companies to take advantage of the GDPR effect by transferring responsibility to their partners and suppliers. Their requirements for organizations, processes, and workplaces may go well beyond the useful evolution of a product… sometimes even to the point of removing responsibility from their own colleagues, who may send more data than necessary to a service provider.
In France, 80% of software developers have fewer than 20 employees. The creation of a Data Protection Officer position, for example, will represent a major upheaval for these players. Even if it is a shared resource for these entities, creating such a position will negatively impact margins. Let’s not forget: in addition to being about security and ethics, the GDPR is an economic reality. Considering efforts already deployed, it is a shame to see certain major stakeholders try to take advantage of the confusion and the looming deadline to turn the tables and relieve themselves of their responsibilities.
In 2018, many professionals – including Syntec Numérique – are continuing to lay the groundwork of simplifying the regulation to assist software developers in taking on their own responsibilities…without getting lost in others’ responsibilities! Because if all parties – citizens, businesses and technology companies — accept their responsibilities on this critical subject, without a doubt our entire economy will grow.