28 January is European Data Protection Day!
Interview with Marie-Laure Constans, Group Data Protection Officer.
To mark European Data Protection Day, which takes place on 28 January every year, Marie-Laure Constans, the Societe Generale group’s Data Protection Officer (DPO), reminds us of her key role within the Bank and the challenges the Group faces regarding the protection of personal data*.
DPO at Societe Generale: the guardian of personal data
In view of the proliferation of uses of personal data, numerous legislative measures have been and are continually being created or strengthened to better monitor its use. Amongst these measures, in 2018 the European Parliament adopted the General Data Protection Regulation (GDPR), thus providing those concerned with greater transparency regarding how their personal data is used and simultaneously introducing the principle of responsibility that requires companies to be able to demonstrate their compliance with GDPR.
As trusted third parties, banks are particularly sensitive to the protection of the data they handle. DPO for the Societe Generale parent company (SGPM), Marie-Laure and the DPO Office team provide data, project and business teams with their expertise. As the main contact for the French data protection authority (CNIL), her responsibilities include monitoring compliance with the GDPR regulation. Through local correspondents, she informs and advises the Bank's business lines on their obligations.
“My role is to ensure employees and customers’ confidence and trust in Societe Generale", Marie-Laure explains.
Protecting data: an ever-evolving challenge
To ensure an appropriate level of protection, regulations require that we only process personal data that is strictly necessary, that we keep it secure and that we delete it once it is no longer essential.
Furthermore, with GDPR, every person can exercise their rights (such as their right to access, rectify, oppose and be forgotten) vis-à-vis entities that handle their personal information. “To comply with data protection requirements, from the outset, all our IT tools must thus be designed to be capable of meeting all regulatory demands”, Marie-Laure continues.
These challenges are all the more complex given ever-changing regulations, a society in which new technologies are evolving at a faster and faster pace and a growing volume of processed and computerised data.
“I organise the compliance set-up to ensure everything is moving in the right direction. I anticipate transformations based on the regulatory monitoring of the legal teams and I adapt my roadmap to the new risks”, Marie-Laure says.
Societe Generale: Let’s all protect our data together!
Ensuring that members of staff are aware of the importance of data protection is crucial. Regulatory training is deployed at Group level. At the same time, DPOs and local correspondents educate and advise teams at a local level. “The job of DPO is not an office or theory-focussed one. We closely support our businesses’ activities and developments every day in order to detect ahead of time and deal with any aspects that could be a source of risk. I put a particular emphasis on the proximity of DPOs in their entities, and I myself regularly go and meet with them”, Marie-Laure explains.
Altogether, there are 27 data protection supervisory authorities in Europe. In France, the Group refers to and complies with the requirements of the CNIL. “I have an amazing team, a network of some sixty people that I regularly bring together to share and align our objectives. I rely a lot on the teams in our entities. They prevent situations in which our astute regulatory expertise is essential, they train the specific business lines within their scope and help secure the IT systems”, Marie-Laure stresses.
Lastly, she points out that “protecting personal data is a key issue for Societe Generale, and increasing staff awareness and adopting best practices are crucial steps to ensure the day-to-day protection of the data we handle”.
*personal data refers to any information pertaining to a physical person that could be used, directly or indirectly, to identify them.