Pack'n Drive: complying with GDPR

The General Data Protection Regulation will come into force on 25th May 2018 in all European Union countries. Any company which processes personal data is to be affected - from big international groups to local startups - but there are many who don’t know about this regulation and who don’t understand what they have to do or the impact which this regulatory upheaval will have on their business.

The implications of GDPR are very variable from one startup to another,” explains Charles Bienfait, Senior Consultant at SG Consulting. “In some cases, the new regulation may call into question the company’s business model. For others, the issues will be more organisational or technical. It’s then a question of drawing up an appropriate response: identifying what must be done to comply on schedule.

That was the aim of the workshop organised by SG Consulting, Société Générale Group’s internal consultancy firm, on 22nd September 2017 as part of its annual seminar. Focused on the GDPR, and hosted by Charles Bienfait, it brought together ten consultants and the startup Pack’n Drive, founded in 2015 by Badri Ahmed and Clément Beaujoin and which is developing an assistance chatbot for car insurance claims.

General Data Protection Regulation

The General Data Protection Regulation will come into force on 25th May 2018 in all European Union countries. It aims both to strengthen citizens’ rights and to give them more control of their data and also to create a unified legal framework.
Find out more

“Digesting” legal terminology to transpose it in intelligible terms, explaining exactly what personal data is according to the regulation: Charles Bienfait provided important information and raised awareness before the day itself, providing the startup with research already conducted within the firm. He also sought to understand the team’s needs, to analyse their capacity to deliver and to determine what was achievable in a day. “Through my discussions with Pack’n Drive, I understood that their objective was to be ready by the end of December. I therefore suggested that they draw up a road map listing what needed to be done to achieve this.

Among the key points addressed: the processing register, the role of the DPO (Data Privacy Officer), the attitude to adopt in the event of a data breach, managing relations with providers and more.

What's a DPO ?

At the heart of the new European regulation, the Data Protection Officer (DPO) is a genuine "driving force" behind data protection compliance. His or her main tasks are:
- to inform and advise the data controller or subcontractor and their employees;
- to monitor compliance with the regulation and national data protection laws;
- to advise the organisation on carrying out impact studies on data protection and to verify their implementation;
- to co-operate with the supervisory authorities and to be their point of contact.

At the end of the day, the startup left with a detailed roadmap and a list of recommendations on the main challenges it may face as a basis for action over the coming weeks.For example, with regards to the processing register,” explains Clément Beaujoin, co-founder and CTO of Pack’n Drive, “the strategy we’ve adopted and which was suggested during the seminar involves minimising the amount of personal data which is processed and ranking data according to its risk in terms of rights and freedoms. We are then able to pseudonymize this data and, for the most sensitive data, we can apply other mechanisms such as data encryption.

Clément Beaujoint had a very positive view of the workshop: “What I really appreciated was the diverse skills and experiences of the attending consultants, which provided a very broad range of contributions to our discussions”. Charles Bienfait appreciated the involvement of his colleagues, who really got to grips with subject. “The experience made them more aware of entrepreneurship and of agile methods and encouraged them to toughen up with regards to the GDPR whilst also showing SG Consulting’s ability to help entities other than Société Générale,” he says.