DANIÈLE NGUYEN EXPLORES THE IMPORTANCE OF GDPR COMPLIANCE ACROSS THE GROUP AND HOW WE CAN DO MORE TO MAKE A MEANINGFUL DIFFERENCE IN THIS AREA.
The Group Data Protection Officer recently launched DP Corner, a section dedicated to GDPR compliance and filled with data protection resources, which can be accessed by all Havas employees.
Here, Danièle explains how important it is to educate ourselves on data protection and to integrate our knowledge into all levels of the group.
Can you explain Havas Group’s GDPR strategy to us?
The new EU General Data Protection Rules (GDPR), which came into effect in 2018, aim to give Europeans (citizens, consumers, etc.) more control over their personal data and impose more responsibility on companies that process personal information. For Havas, GDPR is not just a set of data protection rules to comply with. It’s a long journey that calls for all of our entities to move in a continuous cycle of improvement that will lead to a cultural change in the way we process personal data for our clients and our employees. Havas’ GDPR programme is based on applying more transparency, care, responsibility and accountability to the ways in which we handle personal data.
Our GDPR programme has been designed with our global presence in mind and relies on a global data protection community to deploy and implement GDPR throughout all of our agencies (unless national laws impose more stringent rules). The programme is broken down into directives, processes and guidelines and is available to all Havas employees in a dedicated intranet area, the DP Corner. Havas’ strategy is to educate and inform all of our agencies and entities about the global GDPR programme, as personal data lies at the heart our Group’s activities. All Havas agencies, regardless of their location, are involved in the processing of personal data. Personal data protection has become a major expectation for all citizens, regardless of their country of residence.
What are the challenges when it comes to managing GDPR? Is it perceived as an asset or as a constraint by stakeholders?
GDPR places direct obligations on companies. These obligations require companies to record their processing activities, appoint a Data Protection Officer, conduct Privacy Impact Assessments (PIA) under specific conditions, integrate data protection principles into their product and service design (and throughout the data lifecycle), notify the Data Protection Authority within 72 hours of a data breach, secure international transfers, and put in place documentation to demonstrate compliance, among other things! GDPR brings new constraints for most companies as they must be organised and prepared to fulfill these obligations, otherwise they take the risk of being exposed to huge financial penalties which lead to business and reputational damage.
Data protection compliance is now a key and continuing challenge for all companies. Havas is a B2B business. Our clients and future clients are demanding and expect us to be thoroughly compliant. Clients send Havas long GDPR due diligence questionnaires at the RFP (request for proposal) phase to inspect our compliance. Appropriate and consistent answers from Havas are considered by our clients in their vendors’ selection process. For Havas, compliance is really challenging. GDPR is applicable to agencies located within the EU, but also to agencies based outside the EU that are processing personal data of EU residents. This makes compliance very complex as a Group. For Havas, it’s vital to increase data protection awareness at all times and on all levels, in order to develop culture where data protection and GDPR are ingrained in our work and our business. To meet the expectations of data protection legislation, we have developed a data protection global network. This network implements awareness training, documents and records flows of personal data through systems, and implements data protection principles, security measures and data subjects’ rights in our processes. This is done with the continued support of business, IT, and legal teams along with other Havas stakeholders.
How do Havas Group’s CSR and GDPR responsibilities go hand in hand?
CSR, GDPR and other data protection laws are closely linked as they all address our ethics as a business.
Havas has to report its compliance achievements in the Group Annual Report and describe our commitments and actions relating to the protection of the personal data of employees, customers, and clients.
Awareness and client requirements surrounding data protection compliance is increasing, demonstrating the connection between good ethical privacy practices and performance that’s valued in the marketplace.
How are the biggest global data providers/processors (Google, Amazon, Facebook) complying with GDPR? Is there still a long way to go?
GDPR is very clear on its territorial scope in its definition. It applies when a Europe-based company processes personal data, regardless of where the actual data processing takes place, and when a company is established outside the EU but offers goods or services to (or monitors the behavior of individuals within) the EU.
These massive global data providers have to comply with GDPR if they process personal data of EU residents as they are bound by these rules. How they are complying? We will learn more when they are audited by Data Protection Authority and sanctions are published.
What is the role of the Data Protection Corner that you recently launched?
The aim of the DP Corner is to ensure Havas Group’s compliance by creating a dedicated personal data protection area, accessible to all Havas employees. DP Corner is a Havas resource that everyone can join and explore. Employees can find information, directives, guidelines and tools to ensure the compliance of all Havas agencies and entities, acquire new knowledge and expertise, and find a data protection point of contact for support.
DP Corner also aims to provide (via restricted access) specific information and tools to the global data protection community; Data Protection Supervisors, Data Protection Coordinators, Data Protection Leads and Agency Project Leads.
What are the next steps?
Training, training, training! We need to promote a strong Havas data protection culture! Training sessions are available on DP Corner and I invite all Havas entities and employees to register for an online session. I am convinced that together we will make a meaningful difference to Havas through data protection compliance.