Olivier Rigaudy, Directeur Général Délégué du groupe Teleperformance
Which changes do you need to implement within your company in order to be compliant with the GDPR ? Could you please, among others, detail, depending on the activity of your company, the measures that you have taken and that you will take regarding privacy by design and privacy by default?
Teleperformance operates in 77 countries, and thus, it also operates in countries that will not be subject to the GDPR. But the Group has decided to ensure a global standard level of protection that will be based on the GDPR. To do so, the Group has applied for Binding Corporate Rules (“BCRs”) for both Data Controllers (when it processes the personal data of its employees, candidates, among others) and Data Processors (when the company processes personal data on behalf of its Clients). The BCRs are based on a new Group Data Privacy Policy that will apply to each company of Teleperformance Group (whether it is located in the EEA or not).
Teleperformance has created the Privacy Office that is led by the Chief Privacy Officer and that is composed by 3 Data Privacy Officers (each responsible for the following regions: Americas (North, Central, South), CEMEA + UK, Portugal and Spain, Asia Pacific).
A specific training on the Group Data Privacy Policy will be implemented and a specific audit program to review the compliance of each subsidiary with the new Group Data Privacy Policy, the BCRs and the GDPR requirements was created.
We will ensure that the appropriate provisions set forth in the GDPR are integrated in our agreements whenever it includes a processing of personal data.
We need to ensure that each company subject to the GDPR maintains the appropriate register up-to-date with all the necessary information relating to the processing of personal data.
We already have in place an incident response process that enables us to handle fraud events or data breaches, but this incident response process will be adapted to ensure that, (i) if there is a breach of the data of our Clients’ customers, we report the breach to the Client without undue delay and (ii) if there is a breach of the data of our employees, for instance, we are able to report the breach to the Supervisory Authority and the data subjects without undue delay too.
Privacy by design and by default: Teleperformance has already established a Technology Privacy Committee that aims at discovering potential information privacy issues before Teleperformance implements new processes, technologies, systems, programs, and devices.
Which difficulties do you encounter to ensure compliance with the GDPR?
Teleperformance acts as both Data Controller and Data Processor, thus we need to ensure that we are compliant with the GDPR in both scenarios.
It was a long process to proceed with the data flow mapping because Teleperformance is located in 77 countries.
We need to ensure that all the persons within the company understand the Group Data Privacy Policy (the agents, sales team, HR, management, etc…) and Teleperformance employs more than 210.000 employees around the world.
All the countries do not ensure the same level of protection (some of them provides for quite a low level), and thus, we will have to ensure that even the subsidiaries located in those countries are compliant by May 2018.
What do you think about the cultural change introduced by the GDPR (from a system of “obligation to declare” to the “principle of accountability”)?
This obliges us to put in place the appropriate process and training to ensure that the companies properly maintain and update the Register on which will be detailed the processing. Indeed, the burden of proof is reversed and this is now the company that needs to prove that it is compliant, while, before it was up to the Data Protection Authority to show the non-compliance of the company, and thus the company had some time to regularize the situation. This is more stringent for the companies but this will help increase the confidence of the employees in the processing of their personal data and this will reassure our Clients when we process the personal data of their customers.
How do you see the evolution of the life of the company with the GDPR?
The GDPR will provide assurance to our employees that their personal data will be adequately protected. Regarding our Clients, on the one hand, there will be more and more discussions regarding the negotiations of the agreements and the liability provisions but we believe that the GDPR will provide assurance to our Clients that personal data of their customers is adequately protected. In addition, thanks to the BCRs that we are implementing, this will give us flexibility to choose service locations depending on our Clients’ operational needs without worrying about international data transfer laws as all the companies of the Group will provide for the same level of protection.
We already conduct audits to ensure that the companies comply with the security and compliance policies that the Group implemented in 2015 in order to reduce security and fraud risks, thus the compliance with the GDPR will be integrated into the audit program. We already have a strong culture of security, thus, we are already used to aligning our processes and implementing new tools to protect personal data