LTE Magazine LTE Magazine
In November 2017, a few months before its entry into force, LTE magazine explained to you what the new General Data Protection Regulation of the European Union implied at the level of Moroccan service providers [1]. The GDPR is now firmly in place but its results are mixed. After a brief reminder, we take a stock of the situation and provide some perspectives at the global level as well as from the point of view of Morocco.
GDPR at a glance:
The General Data Protection Regulation (GDPR) defines guidelines targeting companies and public entities that hold and process identifiable and personal data of European Union nationals [2]. It aims to increase the protection of individuals in the processing of their personal data and to make those involved in this processing more accountable. Its approach is to protect data from end to end, which means that its scope extends beyond the borders of the European Union in a series of scenarios which also concern Moroccan companies. For example, for a European citizen who, during a trip outside Europe, must communicate his personal data, or for a foreign company which carries out processing involving personal data as a subcontractor. To this end, the GDPR introduces a series of major principles such as:
● Consent: it becomes explicit and positive, i.e. it is controlled by the citizen who can withdraw it at any time. The company must be able to provide proof of consent. This impacts, for instance, the management of consent banner display in relation to the use of cookies.
● Transparency: companies must be able to provide individuals with clear and unambiguous information on how their data will be processed through a registry.
● The right of natural persons to access their data, the right to oblivioun, the right to limit processing (specific cases) and the one of portability.
● The concept of accountability: this aims to make companies mature so that they no longer have to go through prior checking, while still retaining proof of their compliance with the regulations.
● Potentially very heavy penalties are also available in the event of non-compliance.
At the operational level, the GDPR relies on a Data Protection Officer (DPO) to ensure data governance and monitor corporate compliance. The procedures deployed relate to the mapping of treatments to establish a personal data processing register, a risk analysis, a prioritized action plan, its implementation in internal procedures, and documentation to prove compliance. Its establishment imposes data security measures on several lines of defense: principles of intrinsic security “by design”, the management of flows between actors of the processing, in particular, the subcontractors “by contract”, and lastly in the event of a data leak, it is subject to the obligation of notification to a national authority (DPA – Data Protection Authority) within 72 hours.
Record in 2021:
After an initial phase of concern, the GDPR has resulted in a real awareness and has generated a dynamic of handling the issue of data protection. Thus, the number of DPOs has increased sharply with more than 500,000 public or private organizations operating in Europe alone. In 2021, 47% of companies believe they have achieved a level of compliance above 70% [3]. In terms of violations observed, more than 800 fines were imposed, mainly on big tech multinationals amounting to more than one billion euros.
Above all, the GDPR has provided a comprehensive and harmonized framework that facilitates the processing of citizens’ privacy data and builds trust. End-to-end protection has had a catalytic effect far beyond the EU as an estimated 144 countries now have privacy-friendly laws, often in alignment with the GDPR.
Concerning Morocco, Law 09-08 prior to the GDPR (2009) already ensured the protection of individuals with regard to the processing of personal data by relying on the National Commission for the Protection of Personal Data (CNDP). This law is also based on the concepts of the approval of the person concerned and on a clear determination of the purpose. It was formulated in harmony with the European framework preceding the GDPR and forms a solid basis if upholding it is necessary. In the case of subcontracting the processing such as off-shoring (Business Processing or call centers), clauses aligned with the GDPR are part of the contract with the controller located in Europe, and with specific constraints. For example, an authorization is necessary to extend the processing to other subcontractors who are then impacted too [4].
In terms of cybersecurity, the GDPR has encouraged the application of best practices in order to be better protected against cyber-attacks. This comes at a cost however. And small businesses lag behind larger organizations. Companies have also been better equipped to face the impacts of the pandemic, in particular to reorganize flows towards telecommuting as well as for the implementation of health and traceability applications.
Note also the disappearance of the Privacy Shield, negotiated in 2016 between the EU and the US. This delegation scheme did not offer sufficient guarantees and was canceled in July 2020. Since then, American companies have invested heavily in the GDPR. At the Moroccan level, we can draw a parallel with the list of countries recognized as having a solid legislative framework for the protection of personal data; essentially the countries of the extended EU and Canada but not the USA. Brexit has also generated a special variant of GDPR: namely the UK-GDPR.
Some perspectives:
Overall, the implementation of the GDPR remains a difficult task that requires overcoming many obstacles in terms of expertise, resources, trade-offs within the organization or resistance to change. To this end, more and more companies are setting up a dedicated unit independent of business services, or even outsourced, in order to have specialization and pooling effects.
At the legal level, the GDPR as such should not evolve in the short term. For its part, Moroccan law, already largely aligned with international principles, should evolve in order to further increase synergies in this area. This is included in the spirit of Morocco’s accession in 2019 to Convention 108 with regard to the automatic processing of personal data [5]. In the longer term, it is also envisaged that the procedures will be based more on the principles of downstream control (accountability) evolving from the current declaration or authorization procedures that operate upstream of processing [6].
(*): Mr. Christophe Ponsard, CETIC, Center of Excellence in Information and Communication Technologies in Belgium. Mail: christophe.ponsard@cetic.be
(**): M. Mounir Touzani, INRAE, National Research Institute for Agriculture, Food and Environment, Toulouse France. Mail: mounir.touzani@inrae.fr
References :
[1] LTE Magazine Maroc, RGPD et impact sur nos prestataires (novembre 2017)
https://lte.ma/nouveau-reglement-general-sur-la-protection-des-donnees-de-lue-quel-impact-sur-nos-prestataires/
[2] Règlement 2016/679 du parlement européen et du conseil (27 avril 2016)
https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:32016R0679&from=FR
[3] Baromètre RGPD 2021 : 3 ans après, quel bilan pour les entreprises ? (17/06/2021) https://www.efl.fr/actualite/barometre-rgpd-2021-3-ans-bilan-entreprises_fd06be4ae-ec56-4fa7-b937-73564a6e9c85
[4] Les sociétés marocaines sont-elles concernées par le RGPD ? (30 novembre 2020)
https://www.sia-partners.com/fr/actualites-et-publications/de-nos-experts/protection-des-donnees-personnelles-comment-se-mettre-en
[5] Bienvenue au Maroc, 55ème Etat partie à la Convention 108 (28 mai 2019)
https://www.coe.int/fr/web/data-protection/-/welcome-to-morocco-55th-state-party-to-convention-108-
[6] RGPD, loi 09-08 au Maroc: quelles sont les règles pour les entreprises en 2021 ? (12/01/21)
https://podcast.ausha.co/parlons-gdpr-securite-by-tnp/rgpd-loi-09-08-au-maroc-quelles-sont-les-regles-pour-les-entreprises-en-2021
LTE.ma 2023 - ISSN : 2458-6293 Powered By NESSMATECH