Protecting computer data: a major challenge for businesses

Companies around the world store huge amounts of computer data about their customers, partners and service providers.

Sometimes it can be difficult to understand how all this information, some of which is highly sensitive, can be used.

And whether you are in Europe or the US can make a big difference when it comes to the legal framework and obligations regarding this data.

Computer data: what is it really?

163 zettabytes (163 billion terabytes) is the amount of computer data that will be stored globally between now and 2025. There are several types of computer data, such as personal data.

Personal data is any information relating to a natural person who is identified or identifiable, directly or indirectly, by reference to an identification number or to one or more factors specific to that person.

A person can be identified, for example, if the file contains information that allows that person to be recognized (e.g. surname, first name, telephone number, photograph, car registration number, IP address, biometric characteristics such as fingerprints, etc.).

Within a company, the creation and processing of such data theoretically falls under obligations aimed at protecting privacy and individual freedoms.

Data protection: a central issue in customer relations

The massive development of digital technologies has made this issue even more complex. Information and communication technologies are the source of a large amount of personal and sensitive data, as well as "computer traces" that can be exploited thanks to the development of software, in particular search engines. Companies must remember that data theft is difficult to avoid.

Many citizens feel that their personal data is not being handled properly.

Today, brand loyalty depends, among other things, on the ability to keep customers' digital data secure. It is absolutely essential for companies to develop strategies that limit intrusion into their systems.

Tougher data protection legislation in Europe

The European Parliament has adopted a number of documents, including the Data Protection Regulation.

This document, applicable even to companies located outside the European Union but targeting European consumers, defines a minimum set of rights and obligations applicable to the processing of personal data, especially on the Internet.

The most important measures, most of which are already provided for in French law, include:

•  The obligation to obtain "clear and explicit" consent before any processing of personal data;
•  The right to data portability. This measure allows users of online services to retrieve their data and import it into a competing service;
• The right to be informed in the event of data piracy;
• Fines of up to 4% of a company's global turnover for violating data protection rights;
•  Stricter obligations for companies.

The security of sensitive data is becoming increasingly regulated. The Personal Data Regulation, published in the Official Journal of the European Union, includes elements such as the Privacy by design obligation and the Privacy by default obligation.

Companies are now obliged to offer products and services that collect as little personal data as possible, both by design and by default. They must offer their customers the highest possible level of protection for their personal data.

Internally, the data controller must take the necessary measures to ensure the highest possible level of security for the data collected.

They will also have to conduct impact studies if the use of new technologies poses a risk to the rights and freedoms of the individuals concerned.

The new documents also require companies to maintain internal registers that will reflect the processing of personal data.

In addition, the CNIL will be able to conduct surprise inspections of data processors to ensure that they are taking the necessary security measures.

Choosing a data protection service provider

When a company decides to host all or part of its data (some of which is sensitive and confidential) with a third party, it must carefully assess the implications of doing so. The choice of service provider is critical.

Until late 2015, the Safe Harbor agreement between the U.S. Department of Commerce and the European Commission allowed U.S. companies to export personal data of European citizens to the United States, even if European law prohibited them from doing so.

A company that chose a U.S. service provider, even if its data was hosted in Europe, risked having all of its sensitive information end up overseas with nothing it could do about it.

This agreement was invalidated by the Court of Justice of the European Union and replaced by a new text known as the Privacy Shield. However, this agreement has certain limitations. For example, it cannot guarantee what happens to data entrusted to U.S. companies.

In the US, the Freedom Act was passed in June 2015, authorizing the US government to access all data processed by US companies, whether they are located in the US or not.

If a US cloud provider has offices and servers in Europe, it is subject to this law. That's why it's so important for European companies to choose local service providers.  

In Europe, the laws are much stricter. The collection of personal data is strictly regulated. It is necessary to obtain the consent of the person concerned, to specify the purpose of data collection, and to give him or her the opportunity to change or delete it. In addition, it is formally forbidden to take this data outside the European territory.