According to a survey conducted in late October 2018 by the Legal and Administrative Information Direction, two thirds of French people declare themselves more sensitive than before to data protection. This is mainly due to an awareness of phenomena such as hacking, data theft and the proliferation of spam and commercial solicitations.
On May 25th, the General Data Protection Regulation or GDPR came into force in France and in Europe. This law, a real step forward in terms of the protection of users' personal data, implies a strengthening of data processingsecurity used and stored by companies.
While there were only 5,000 IS data protection correspondents in French companies before the GDPR, today more than 32,000 have designated Data Protection Officers (DPOs)! This growing ownership of the RGPD by businesses must be accompanied by awareness raising on the new legal obligations of transparency, control and, above all, data security.
Want to understand how a GDPR compliant consulting agency works?
Discover in this article how Primeum has made the security of personal data a pillar to accompany its customers!
1. A SECTOR OF ACTIVITY PARTICULARLY CONCERNED BY GDPR
Bonuses calculation requires the identification of beneficiaries
Because of their activity, HR services are directly concerned by the processing of personal data: recruitment, salary management, etc ... For a large number of companies, these services are at the forefront of the personal data management of the employees. Thus, at Primeum, we have managed the various aspects related to the application of the GDPR for all of our employees and naturally accompany our customers on this subject.
Primeum, through its incentive compensation consulting business and incentive compensation software publisher, is particularly concerned with aspects of personal data protection, particularly those related to the calculation of bonuses. Indeed, we carry out bonuses calculations which requires a prior identification of the beneficiaries and therefore a particular management of the personal data related to this identification.
It is very rare that sensitive data are involved in the calculation of bonuses
The use of sensitive data requires the definition of a very precise framework and can only be done in a highly justified context. At Primeum, we are not in this case, we do not need to use so-called "sensitive" data in the GDPR sense to carry out our incentive calculations and, therefore, do not wish to collect them. In addition, it is also a security issue for our customers. We make sure to identify with the client what data is needed to calculate bonuses (types of absence, etc ...). This approach reflects Primeum's willingness to minimize risks for customers in managing their own data.
2. THE SECURITY OF THE DATA IS IN PRIMEUM DNA
Primeum has always been very concerned by the personal data protection
The data provided by our customers are considered strictly confidential. The implementation of the GDPR has not changed the way we work and has, on the contrary, provided a formal framework for existing practices in the management of personal data. For example, we have added specific elements to identify the personal data to be used specifically in the variable pay calculation framework in our working documents.
Thus, in our bonus calculation documents, we specify the nature of the personal data processed, which allows us to identify and hold each actor accountable for the calculation of bonuses.
Primeum considers all data confidential
When some companies set up levels and levels of "confidentiality" of data, at Primeum, we made the choice not to categorize them and to secure them to the maximum without distinction. All processed data are considered as confidential and are not differentiated, so they are all protected in the same way. This process simplifies the management of personal data while ensuring an optimal level of protection.
Primeum never communicates the customer’s data to third parties because its business model does not include the exploitation of the customer’s data.
Primeum pays a lot of attention to the values of rigor and quality of its teams
This is reflected in particular by a certain requirement in the choice of our employees who must have some skills: rigor of analysis, accuracy of calculations, quality of services rendered, etc ... These values of quality and rigor are found in the missions carried out daily with our customers and are naturally part of a pro-active approach to improve quality but also safety. In addition, data awareness is an integral part of our process of onboarding new employees: every time an employee is integrated, he is specifically trained on this issue and he is contractually committed to respecting the confidentiality of customer data.
Primeum has always ensured the maturity of all its providers
We sell our softwares to our customers and sometimes have to rely on external providers like Microsoft Azure for our network infrastructure. In this case, we make sure that they have sufficient maturity in the GDPR in order to collaborate safely. The data of our customers are stored either on our premises or on encrypted storage using Microsoft Azure, with their agreement.
3. PRIMEUM has the MEANS OF ITS AMBITIONS
A subject led by the management of the company
Bringing as much security as possible to data management is part of how we work. Directed in-house by Yvon Prevot, a partner who is now a Data Protection Delegate, the implementation of the GDPR was carried out taking into account data security issues.
The data is protected against unauthorized access through a system of systematic encryption and restriction of access to new computer tools, including software, which are then set up in this direction.
Recurrent audits and checks
To ensure data security, we have been using an external company specializing in cybersecurity for five years now. This company allows us to maintain our network and applications with current best practices in terms of IT security and offers our customers additional security.
A dedicated network manager and infrastructure
In addition, we have within our workforce, an infrastructure and network specialist, who is responsible for the full operation and security of Primeum's network infrastructure. These good technical conditions, relatively rare for a company of our size, allow us to have our own hardware to offer the safest storage and data security solutions possible.
Physical protection of data
Reinforced internal network
First, our premises are protected and access to the building, as to the server room, is controlled. Then the entry on the Primeum’offices is also protected by an access badge. Finally, the servers on which the data are stored are stored in a dedicated, secure room, whose access is also closed. The data is protected,from an IT perspective but also "physically".
Our main network is thus in a secure server room within our premises. Our emails, as well as all our exchanges with our customers are not stored on a cloud, but directly with us. As a result, our internal mails never go on the internet and remain in our internal server.
All staff computers are encrypted
Primeum employees have laptops on which they can synchronize the data needed to work. Each computer is highly secure and has an encrypted hard drive. Primeum is committed to using the best equipment and devices possible in terms of hardware to ensure optimal data security. In addition, if a collaborator had to be stolen his laptop, no external person could recover the data it contains.
4. WHAT WILL CHANGE THE GDPR?
The GDPR gives us the right to make our clients more accountable
The roles of each are re-defined and customers better understand their own responsibility for managing the personal data of their employees. Indeed, customers using our tools and realizing their premium calculations using our applications are still responsible for the processed data even when they decide to assign us to do the calculation for them.
Customers have a responsibility to ensure that Primeum is working properly, so they ask us about our practices and we regularly respond to audits on these topics. We comply with the internal rules of companies that solicit us, especially from large companies, which may sometimes have fairly strict and highly formalized internal operating processes to which we specifically adapt. Primeum supports these customers to justify the actual compliance of the applications used and how to work on GDPR regulations.
Today, in view of the new provisions induced by the GDPR, our clients are reviewing the nature of their questionnaire by orienting them more towards the protection of personal data.
GDPR will not change bonus schemes
Incentive schemes do not require enough use of sensitive data for the GDPR to bring about a change in their calculation processes. On the other hand, it will be necessary to be more vigilant in the way of processing the collected data. At Primeum, we advise our customers on the correct data to transmit to us in order to carry out bonuses calculations and to avoid the transmission of unnecessary personal data, which lead to a risk in terms of security.