Compliance with the PGRD has been a priority for many companies since the regulation came into force in the European Union, but unfortunately some crooks are taking advantage of it… Mastaneh DJAZAYERI fromAlpha Conseils Technologies tells us more about RGPD scams, and the practices to adopt to avoid them.
Since May 25, 2018, when the DPMR came into force in the European Union, companies must take certain measures to ensure the protection of their customers’ personal data. If they do not comply with the regulation, in the event of a CNIL audit, organizations risk a fine of up to EUR 20 million or 4% of their turnover.
This compliance is therefore an urgent priority. In this context of general effervescence, many charlatans see an opportunity to line their pockets without too much effort. In order to learn more about RGPD scams, we went to meet Mastaneh DJAZAYERI, Lawyer / Compliance R.G.P.D, Doctor of Law, Data Protection Delegate, Certified Bureau VERITAS at Alpha Conseils Technologies.
In your opinion, the coming into force of the GDR has given rise to a new kind of scam. Can you tell us more about it?
Indeed, it is fair to say that since the coming into force of the GDMPR on May 25, a number of scams have been created. to the detriment of the economic actors who are the most vulnerableThese are the very small companies that may not be equipped to detect them.
Generally speaking, malevolent societies take advantage of disbelief… and ignorance of the law by a number of economic actors. These scams have always been prevalent in our society in various fields.
In the case of the DPGR, these fraudulent practices were easier to put in place to for a number of reasons that I think are essential.
First of all, lack of state information on this new European regulation. Indeed, the economic actors who are impacted first and foremost have not received sufficient information on the DPSR.
As a reminder, this European regulation came into force on 27 April 2016 and left companies free to comply with it by 25 May 2018, i.e. two years. But, unless there is an error or omission on my part, there has been no communication to that effect..
This lack of communication has therefore allowed some malicious organizations to take advantage of this lack of information to offer their services at a competitive price20 million in administrative penalties. More commonly, fear of the gendarme, if we may use a common expression.
Indeed, the main ones concerned have started to be iflooded with prospectuses, commercial proposals and external services a few weeks before the implementation of this regulation. The crooks played on the fear of this administrative sanction to offer their services.
By the way, the CNIL did not fail to warn companies against these attempted scams with a #StopArnaque campaign. From now on, it is not only individuals who are in the sights of crooks, but also companies.
The modus-operandi is extremely simple. These malicious companies generally address a message that sounds like an official message.and directs them to urgently bring themselves into compliance with the GDGR.
They propose services close to 990€.They told you that by signing their service delivery contract they would be “standardized and RGPD-stamped” in their own words. However, the CNIL has not mandated any organization and has not for the moment issued any certification to any organization whatsoever. This has been provided for as part of the missions assigned to it by the Data Protection Act of 20 June 2018.
How do you avoid these scams? What are the best practices for companies to adopt?
The first precaution to be taken is to go beyond a simple exchange or sending documentation on the DMPP. In order to avoid these scams, companies will have to resort to experienced professionals in the field such as Lawyers, external service companies composed of lawyers and IT services qualified in the field of personal data protection.
These intermediaries will enable them to to identify the actions to be put in place. It is also one of the councils of the CNIL. Therefore, the best practice for companies is to surround themselves with experts in the field and to inquire about their experiences.
In addition, the CNIL strongly recommends properly trace and identify the organizations involved in compliance of your company, and do not hesitate to contact her when in doubt. You must be very vigilant, because this scam can impact your finances and be a source of misappropriation of personal data files that can be used for future payment.
As long as you avoid charlatans, is using a third party a good way to comply with the GSPD?
It is quite obvious that I can only answer this question in the affirmative since the company will have all the guarantees for this standardization and will give you the benefit of regular follow-up and competent people to benefit from their expertise and who will be responsible for accompanying and advising them during this standardization.
Beyond this unstoppable advantage, the external service provider will have a duty of advice to the company in case of default it will always be easy for him to catch his liability for lack of advice.
However, the implementation of the external service provider’s liability for failure to provide advice should not be confused with the controller’s or processor’s non-compliance with the DPMR . The external service provider cannot be held responsible in any way. for his client’s non-compliance.
On the contrary, how can we comply with the GDMP without the need for a third party?
He’s not not necessarily necessary to use an external service company or other relevant professionals to comply. It is perfectly possible for companies to consider appointing from among the company’s component persons a person who will be appointed data protection officer under certain conditions with certain reservations.
The company designating this person shall first of all write an engagement letter determining the precise role vested in the Data Protection Officer and the scope of his or her interventions.
It is important that the designated person receives training in this areatime to carry out its tasks, material means to carry out its mission. Nor should her position be in conflict of interest with the position she occupies.
For example, human resources, IT security systems managers, directors, and financial directors cannot fulfill this role because there is a conflict of interest. One cannot be judge and jury and party at the same time. It will be necessary to judge on a case-by-case basis the function of the person the company intends to appoint to see if there is no conflict of interest.
It is also necessary that this new mission, which is assigned to the person, be included in his or her contract of employment It should be specified that the employer may not dismiss the said person in the context of her mission as Data Protection Officer, even if she is not a protected employee.
In conclusion, a “straw” data protection officer should not be appointed. Only the companies of a certain size may consider This is because, as one can imagine, a very small company does not have time to submit to a constraint. It would be impossible for it to appoint a person internally by overburdening him or her with the financial compensation that goes with it and not being able to provide the material means for the mission to be fulfilled.
To benefit from support in bringing your company into DPM compliance, you can contact Mastaneh Djazayeri from Alpha Conseils Technologie at the following email address [email protected]