In this interview, Philippe Gellet, president and founder of Kizeo and Camila Mazas, operational director, review the main lines of the European regulation on the protection of personal data. Through this interview, they present to us:
- The thought process put in place by Kizeo to meet all the requirements of the GDPR.
- Their intention to create a space of listening and collaboration between Kizeo and its customers.
- The tools that will be put at your disposal to help you comply with the GDPR.
Kavitha : Hello Philippe, in a few words, can you please explain to us what the GDPR is?
Philippe: The General Data Protection Regulation (GDPR) is a regulatory text1 that was approved by the European Parliament in 2016. It will come into force on May 25, 2018 and will strictly regulate the use of personal data of European citizens.
Kavitha: Why such measures?
Philippe: Currently, there are completely different laws in the 28 states of the European Union (EU) to protect citizens from using their personal data. Through this regulation, the EU intends to have a single legal arsenal that is fully applicable in all EU countries and in line with our times. In addition to this interstate regulatory harmonization, new rights will be created such as the right to be forgotten and the right to the portability of data. Thus, the protection of the privacy of European Internet users will be strengthened.
Kavitha: Who should be concerned about the GDPR?
Philippe: All companies are concerned about the GDPR from the moment they manage personal data in the course of their activities. Indeed, whether they are public or private, responsible for data processing or subcontractors they will have to comply with the GDPR. It should be noted that this regulation will also apply to companies not established in the EU, as long as they collect personal data concerning European citizens.
Kavitha: What must we have imperatively put in place by May 25th?
Philippe: All the companies must have defined a set of actions that will allow them, to be within 3 years, in accordance with all the new regulatory obligations required by the GDPR. Clearly, it is imperative to have defined by May 25th a plan of action that is realistic.
Kavitha: What is Kizeo’s approach to the GDPR?
Camila: We wish to have a pro-active approach towards this new regulation. This is why we decided to set up internal working groups on the subject. This approach aims to capitalize on the experience and global vision of our employees to define, by department, actions that are relevant, realistic, datable and achievable.
Kizeo is also part of the association VPN (Vaucluse Pro Numérique) which brings together companies of the digital sector since January 2018. VPN has set up a specific working committee on GDPR. As part of this commission a working group composed of technicians and developers (including Vincent Demonchy, our R & D manager) has reflected on issues related to developments and IT infrastructure. The goal is to define what needs to be done in terms of IT infrastructure, development and security to comply with the GDPR and in particular to guarantee our customers “privacy by design“. We will also evolve our HR processes (confidentiality charter, internal regulations …) to adapt/update them to the specificities of the GDPR.
Kavitha: How are we going to be proactive with our customers?
Philippe: Thursday, May 3 we sent a publication “What is GDPR(General Data Protection Regulation)?” and also published, an infographic and a newsletter on the subject. The purpose of these documents was to simplify and clarify the “GDPR”. Given the importance of this topic, we wanted to speak directly to our customers through this interview.
Beyond all this information that we have delivered, we are convinced that it is essential to be able to identify the questions, the fears or the motivations of our customers about the GDPR. That’s why, to go even further, we set up at the end of this interview an anonymous space of expression. It will allow you to express yourself freely, to inform us of your requests for information, your expectations and your wishes.
The opinion of our users counts enormously for us: we wish to bring concrete elements of answers to all your questions. We will take the time to answer them through a FAQ and/or one or more articles.
Kavitha: Who is the Data Protection Officer (DPO) at Kizeo?
Camila: First of all, a little explanation! The DPO is a person whose main mission is to justify the compliance of a company with the regulations imposed by the GDPR. For that, it controls the implementation of the directives: it is in a way the “bridge” between the company and the CNIL. At Kizeo, the Data Protection Officer is our president Philippe Gellet. He will be helped in this task by Vincent Demonchy R & D manager.
Kavitha: Where is the personal data stored?
Philippe: We are working with OVH, a French company specialized in cloud computing services. A company that is strongly committed to quality of service as demonstrated by its numerous certifications and awards:
- PCI-DSS certification
- ISO / IEC 27001 certification
- Certificates SOC 1 TYPE II AND SOC 2 TYPE II
- STAR self-assessment – Cloud Security Alliance
- HDS approval
- Open Stack Powered Certification
Kavitha: How are we going to help our clients to comply with the GDPR?
Camila: It is the responsibility of our customers to comply with the GDPR. However, we want to go further by providing them with effective, efficient and automated tools. In this way, users of Kizeo Forms will have an immediate overview of the personal data they process. In a few months, we will give the opportunity to “tag“, when creating a form, a question (“field”) as a personal data. The goal is to give our customers access to an export (Excel CVS) of all fields identified as containing personal data. In this way, they will be able to accurately map the personal data collected from their clients.
Currently, it is already possible using our system of “rights / groups” to restrict access to personal data. Thus only the people concerned by this information have access to it. This system makes it possible to identify who can see, modify or delete data and its contents. It is also possible after entering data to automatically send the information that has been collected by our users to their customers. For this, it is sufficient to define the sending by e-mail of a copy of the data (PDF format) to the person concerned.
Kavitha: What kind of personal data of our customers do we necessarily need for smooth functioning of the application?
Philippe: We systematically ask our customers to give us their names, first names, e-mails and telephone numbers. This information is necessary for us to make the Kizeo Forms application work as smoothly as possible and to guarantee an optimal quality of service. They can be modified or deleted at any time. We use this data to inform them of changes made to the application and/or to contact them in the event of a malfunction.
Kavitha: What if I want to have access to my personal data or delete it?
Camila: Kizeo Forms users have the option from their personal space (Kizeo Froms> Data> History>) to view or delete/export all or part of their input. Follow the below steps in order to achieve this:
- Delete data:
- Export the data:
Users of Kizeo Forms can also contact us by e-mail to inform us that they wish to delete an account or data. Attention, this step is not reversible. Once the data is deleted it is impossible to recover it.
It should be noted that all the data stored on our servers can be exported in different ways (E-mail, FTP, Dropbox, Web Service, HMI, Sharepoint Connector or database) and in different formats (XlsX, DocX, PDF, CSV, JSON).
We’re listening to you!
1 European regulation is similar to a directive on its content. The difference with the directive lies mainly in the fact that a regulation benefits from what is called the direct effect. This means that it is fully applicable in all EU countries without the need for any national transposition text. Thus each citizen can invoke a European regulation to argue before a French judge. There is no need for any law to be adopted by the French Parliament.