Security Expert Interview Series: François Charlet
In this interview, François Charlet, Chief Privacy Officer and Data Protection Officer, talks about his unique path into the information security industry. François has over 5 years of experience in the legal and data protection field. He is a specialised jurist and expert in technology law and data protection, advising companies and individuals, developing data protection programs, helping to define a data governance framework. To learn more about his thoughts around the main challenges for our privacy today and challenges associated with complying with the GDPR, continue reading.
1. How did you get involved in the information security industry?
I became interested in technology, computer security and data protection when I started university in 2006. For a lawyer at the time, it was not very common to be passionate about these subjects. I was able to follow a Master’s degree in Law, Crime and Technology Security at the University of Lausanne from 2010 to 2012. After various internships and trips abroad, I was hired as Data Protection Officer by Groupe Mutuel (an insurance company). Today, I hold the role of Chief Privacy & Data Protection Officer at Vaudoise Assurances. I am not in the information security industry as a technician since I do not have a technical background, but I am in charge of the legal and organisational aspects, as well as training. So, I have to work with many professionals in the industry, including engineers, and I have to understand them and be understood by them. At both Groupe Mutuel and Vaudoise Assurances, I have had to work closely with my IT security colleagues, particularly the Chief Information Security Officers.
2. What are the 3 most critical success factors that a Data Protection Officer must show to succeed?
From a personality point of view, he or she must be alert and attentive to detail. He must never be satisfied with the information he gets from a department, unit, project teams or business lines. It is not a question of tracking down possible lies, but rather of getting to the bottom of the problem. The DPO is a data protection professional and must quickly understand the ins and outs of the data processing described by his or her colleagues. These colleagues will generally only provide an incomplete picture of the situation, since they will only be interested in the business and technical aspects that concern them directly. It is therefore up to the DPO to ask for the big picture to be completed.
A DPO must have multidisciplinary knowledge in law, information technology and management (a legal background is highly recommended). Either he or she has this knowledge himself or she has a team that combines these skills. These skills enable him or her to carry out his or her function, but it is not enough in practice to be an expert of data protection. He or she must be a good listener, teacher and persuasive, and have good interpersonal skills.
Strength of character is the third (and probably the most important) factor. A DPO, like a CISO, usually intervenes to tell others what to do and can therefore be frowned upon. Data protection and information security are often seen as unnecessary burdens. The company’s employees must see the DPO as an ally, a helper who will enable them not only to comply with the law but above all to design a compliant product or service that can be promoted as such to customers.
This is why the DPO must know when to concede and when to stand firm. The DPO must be able in all circumstances to properly balance the company’s interests against the financial, time and human costs of implementing the measures required by law.
3. What do you see as the main challenges for our privacy today?
From a business perspective, there are essentially two challenges: the legal and regulatory framework is changing and getting tougher (GDPR, new Swiss Data Protection Act), and customers are becoming increasingly aware and concerned about their personal data. Companies sometimes find it very difficult to explain and make their customers understand that they need certain personal data to fulfil their legal, operational, commercial or contractual obligations. For data subjects, the amount of personal data is increasing exponentially, and it is impossible for them to manage it, to know who knows what about them, who holds what information, what they are doing with it. This is also a problem for companies, since by processing more and more personal data, the risks increase dramatically.
4. What level of awareness is there among businesses about the risks to their privacy?
I think companies are all aware that data protection is a concern, both for the data subjects and for themselves. However, they are still far from being aware of the risks they take when processing personal data and the measures they need to take to reduce those risks. And I do not blame them: the legal framework is vague and does not provide any help or guidance. How do I know what “taking adequate security measures” means? What does “adequate” mean? This is where companies, especially SMEs, can be caught at fault. In short, they know they have to do something, but they do not really know what or how.
5. How can businesses implement technical infrastructure that will ensure optimal governance of their client data?
It is impossible for me to answer this question in a targeted manner, because the implementation of a technical infrastructure will depend on the economic field in which the company operates, the specific legal constraints that apply to it, the possible codes of conduct (e.g. associative) to which it is subject, the certifications it holds or is seeking to obtain, etc.
From my point of view, as a lawyer and DPO, I think it is essential to implement an MDM (Master Data Management) structure if only to avoid data being duplicated in different systems and to ensure that data is managed, updated and accurate throughout the IT ecosystem. As a reminder, the accuracy of personal data is a legal obligation. Therefore, it is critical that organisations understand that data governance is one of the pillars of data security and protection.
6. What are the 2 main challenges associated with complying with the GDPR?
The first challenge is neither technical nor legal. It is human. Like the security of information systems, data protection is often perceived as a brake, a burden. This challenge is only met when the entire company understands that data protection is one of the factors that differentiate it from its competitors, that it can be a commercial advantage, that it protects not only customers but also employees (i.e. the people who implement it on a daily basis). To use a formula that is repeated – and rightly so – by our team’s change manager: people must find their way, they must know the answer to the question, “what’s in it for me?”
The second challenge is to draw up a register of personal data processing that will enable risk analyses to be carried out and the appropriate measures to be taken (the famous “adequate measures”). This is the DPO’s basic tool without which he cannot do his job properly. Creating a treatment register is a complex task that requires a great deal of preparation (one must be able to ask technical and operational questions to the business lines), interpersonal skills (one must explain how this register is useful, train people to provide the right information, conduct interviews) and analysis.
7. As a Chief Privacy and Data Protection Officer, do you have concerns about the state of information security today? If so, what are those?
I do have one concern: the sharing of personal data. Some focus mainly on data transfers abroad, but the conditions for such transfers are clear and well specified in the law (although they still need to be known and applied). Conversely, data sharing with third parties is a processing of personal data like any other and is only subject to compliance with general data protection principles that are not interpreted in the same way by everyone.
Furthermore, since personal data is outside the sphere of power of the company that collected it, it is difficult for the company to control what third parties will do with it. This is one of the reasons why data sharing is one of the riskiest forms of data processing.
8. What would be your single most important piece of advice to digital companies with regard to staying GDPR-compliant?
Data protection by design is fundamental. There is certainly a risk that the DPO may feel that a project is far too risky, or that he may bring his concerns to the attention of management, who may then make the decision to stop the project altogether. However, taking data protection into account at the outset of a project (i.e. during the initial discussions about what you would like to do) can save you trouble, delays and money.
When consulted, the DPO can quickly indicate to teams what they need to pay attention to and, most importantly, can accompany teams by guiding rather than sanctioning what has been done. Thus, unless they are contemplating outright illegal data processing, a DPO will rarely say “no”; rather, he will say, “We should take a different path to achieve this goal, we will think about it together.”
9. How do you see the future of ePrivacy? Is it too early for businesses to be preparing for change?
The new European ePrivacy regulation that is to replace Directive 2002/58 is not yet in force. In fact, its final version has not even been adopted yet and it still has to be negotiated between the Council of the EU, the European Commission and the European Parliament. So I think it is still a bit early to prepare for it. Personally, I find that the current draft offers Internet users reduced protection not only in relation to the RGPD but also in relation to the Directive currently in force, and this worries me. On the other hand, for businesses, a lightening of certain obligations will certainly be perceived positively.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.