The GDPR, which came into force four years ago, requires companies to exercise strict control over their personal data processing activities. Many organizations find themselves in difficulty trying to meet these requirements. Dastra, a start-up present at VivaTech 2022 with IMT, has developed a SaaS platform that helps companies stay in compliance with data regulations.
On April 27, 2016, the European Parliament published a text that shook the corporate world: the General Data Protection Regulation (GDPR). Two years later, on May 25, 2018, the reform came into effect in the European Union. Windows requesting visitors’ consent to the processing of their personal data started to appear on websites. Although internet users are now familiar with this mechanism, it is in fact just the tip of the iceberg.
Organizations must now respect certain requirements with regards to personal data. For example, they must keep a record of data processing activities, ensure maximum security for the data collected, allow users to access, rectify and delete data concerning them, etc. Some are even required to appoint a Data Protection Officer (DPO) in charge of GDPR compliance. All companies must designate a person responsible for the matter.
Compliance is not always easy for everyone
This new legal framework affects all companies collecting information from their users, from large corporations to small businesses. While in some sectors, such as banking and insurance, organizations are used to such constraints, for others it is a real challenge. “GDPR compliance is tricky to implement and even harder to maintain,” says Paul-Emmanuel Bidault, co-founder and CEO of Dastra, a start-up incubated at IMT Starter. “This is largely because, in order to protect data, the company must already know where it is. However, DPOs are often equipped with no more than a pen and paper or an Excel file.” This hardly seems adequate for the task of monitoring data stored in multiple locations and that is constantly evolving as a result of different processing activities, which are generally not all clearly identified either.
Close collaboration with all of the company’s departments is therefore essential to the DPO’s role. “However, DPOs often work alone, in a sort of ivory tower,” says Paul-Emmanuel Bidault. This lack of governance and structured procedure around data processing further complicates managers’ tasks.
A sword of Damocles hanging over companies
Failure to comply with the GDPR can have serious consequences. First of all from a financial point of view, with penalties of up to 4% of annual turnover, or €20 million. It can also damage the image of a company, which risks losing its users’ trust.
Four years after the GDPR came into effect, are the stakes still high? “We’re coming to the end of a period of tolerance on the part of the European authorities,” says Dastra’s CEO. “For example, in the space of a year, the penalties have increased fivefold across Europe.” Another warning sign: the CNIL (French National Commission for Information Technology and Civil Liberties) recently decided to outsource the management of data processing complaints in order to increase its scope of intervention.
This step was made necessary by the insufficient number of organizations who successfully comply with the GDPR. “Today, only 30% of companies have up-to-date records of their processing activities, even though it is a basic step towards compliance,” explains Paul-Emmanuel Bidault. The current trend looks set to continue, with new European regulations such as the upcoming Data Governance Act (DGA).
Simplifying the DPO’s job
In this context, the DPO has a strategic role in organizations, but in order to effectively meet the requirements of the GDPR, these data managers need to be equipped. Dastra proposes a solution to do just that: a SaaS platform designed for DPOs to simplify and automate the implementation and monitoring of GDPR compliance within companies.
The platform offers all the necessary functionalities for complying with the law:
- Data mapping and processing activity record
- Risk management, audits and privacy impact assessments
- Establishment of processes for rights requests, consent gathering and maintenance of a data breach register
- Management and monitoring, in particular via dashboards and workflow systems
The software also includes legal aspects and quizzes to allow users to progressively learn about privacy-related issues. This comprehensive offer is complemented by support from the start-up, for a truly “turnkey” solution.
Strong and effective GDPR compliance
Firstly, Dastra allows organizations to comply with the law, which is obviously essential. In the event of an inspection by the CNIL, they can demonstrate their commitment to GDPR compliance and avoid sanctions.
But this is not the solution’s only advantage. “Our added value also lies in the fact that users can comply with the law in an efficient way,” explains Dastra’s co-founder. “By simplifying the DPO’s task, we offer companies a better compliance/cost ratio.” This is a key advantage because the sums at stake can be enormous. For example, the cost for companies of managing rights exercise requests alone has been estimated at an average of $200,000 per year.” To reduce these costs, the start-up automates the processes involved as much as possible.
However, it is not possible to automate all parts of the process, especially those involving collaboration. For these tasks, Dastra helps the DPO orchestrate actions, such as by using a planning tool to facilitate the involvement of the different stakeholders concerned.
The start-up has also developed multiple connectors to allow seamless integration with organizations’ IS. The aim is to incorporate privacy management into internal business procedures to help maintain GDPR compliance in the long-term and sustain the approach.
Changing perspectives on GDPR
While Dastra is currently focusing on European countries, starting with France, the start-up also aims to conquer other regions where privacy issues are a concern, and there are a lot of them: today, around 150 countries have data privacy regulations, one example being Canada’s Bill 64, which is similar to the GDPR.
However, the objective for organizations is not to simply avoid sanctions from the authorities. “Complying with a regulation like the GDPR is beneficial in many respects,” says Paul-Emmanuel Bidault. “It helps improve data use, protect the company from cyberattacks, avoid data leakage and build a relationship of trust with users.” In this respect, Dastra helps change companies’ views of the GDPR and turns something they once considered a constraint into an opportunity.