Interview with Xavier Lefevre - CEO of Fair & Smart

We now live in a GDPR world where companies doing business in Europe can be fined with up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher, if they or their services do not comply to GDPR.

As the dust settles, the post implementation began and we await increasing enforcement actions under GDPR.

In preperation of the GDPR+1 Data Privacy Conference which takes place on the 22nd May 2019 in Luxembourg we had the opprotunity to interview Xavier Lefevre, CEO of "Fair&Smart SAS" - a service provider offering a simple, efficient and secure data privacy management solution - regarding his impressions on the influence of the GDPR on his business case.

GDPR+1:

To what extent has data protection influenced your corporate culture or the corporate culture of your clients? 

Data Protection is our DNA at fair&smart so I may talk about our clients. We’ve seen a huge impact of GDPR when it came into force, on two different levels.

At the individual level : Though a lot of the data protection principles that are included in GDPR were not new, they were not really taken into account or even known by the employees who should have implemented them in most organisations. Now, data protection is far more widespread and known by the employees of our clients. Since change comes from the people, it is some very good news.

At the corporate level : We have noticed that most data protection issues, at the end, came up to the highest level of decision in most companies (Board of Directors, Executives…). It is not just about balancing risks and expenses regarding different levels of compliance, some companies have noticed that data protection becomes a key element of customer satisfaction. So they want to stay ahead in terms of data protection in order to stay ahead in terms of customer satisfaction. We help them do that.

GDPR+1:

 What was the biggest challenge for your company / is still the biggest challenge for your clients while implementing the GDPR?

The biggest challenge for our clients so far was to identify all the personal data and processing activities that existed, and then try to rationalize them. Our clients are big companies with very complex and heterogeneous IT systems. So it was a very huge work that took more time than expected for almost everyone.

The second biggest challenge was to acculturate all stakeholders to the importance of data protection and try to change some mindsets which belong to the past. Most companies have really done well on this part in France.

The challenge coming is probably the biggest one : it is about going beyond basic GDPR compliance and make data protection a business accelerator. What does a good experience in personal data management means for my customers ? How can I differentiate from my competitors ? In short, it is about turning the B2C aspects of GDPR compliance (consent management and replies to rights requests) into visible elements of customer satisfactio

GDPR+1:

What was the most important lesson you learned in the course of the practical application of the GDPR?

The most important lesson is about consent management : managing consents is highly important since it is the most visible part of an organisation’s compliance (or its non-compliance). But it is actually far more difficult than it looks at first sight. We have seen really few organisations that have implemented a truly compliant consent management platform. It is a very important point though, as consent is already the legal basis for processing particular kinds of data (like health data) but is also more and more used in many cases, like third-party sharing for instance.

Beyond the four well-known conditions of a valid consent : free, specific, informed and unambiguous, a valid consent may also be revoked anytime by the user and the data processor must be able to prove its validity. How to prove that validity ? What reliable source of time must be used ? What level of protection should be implemented since a consent is a personal information (e.g. even if you do not know what data I have shared with an oncologist and for what purposes, the fact that I have shared data with an oncologist tells something about me) ? How to find the appropriate balance between the wishes of my DPO and the wishes of my CMO in terms of customer experience ? At the end, how to make the management of consents a marker of trust towards my customers, which helps leverage trust and grow business  ? Those issues are not all answered yet but show that consent management is a specialist job. At fair&smart, we work on it since 2016 and learn everyday from data subjects feedbacks and expectations.

GDPR+1: We thank you for the interview and are looking forward to meeting you at GDPR+1.