The European General Data Protection Regulation (GDPR) came into force in May 2018, and there is a debate about potential convergence between Moroccan data protection law (09-08) and the GDPR standard. This means that there is a good chance that the control and verification mechanisms set up by the National Commission for the Control of the Protection of Personal Data (CNDP) in Morocco will need to be strengthened.
Law 09-08 sets out rules and principles for the collection and processing of personal data. It states, for example, that the purpose for which the data is collected must be determined and made explicit. There is a principle of minimalism: The data must be relevant and not excessive for the purpose for which it has been collected. All reasonable measures must be taken to ensure that the data is accurate and, if necessary, updated. Data must also only be kept for a limited time, although this depends on the purpose for which it has been collected.
The existing situation
The law also makes clear that data should not be obtained or processed using illicit or unfair methods. Data may only be processed if the data subject has given consent to the proposed transaction. Data subjects – that is, the person to whom the personal information relates – may request information about the rationale behind the processing of their personal data. They may also ask for their data to be updated, corrected or erased.
What, though, is meant by personal data? It is basically any information that enables identification of a person. It may include demographic information, such as name, date of birth, age, or nationality; contact information, such as address or email; banking information like account or credit card numbers; information about official ID documents, such as passport numbers; social network information like Twitter or Facebook URLs or handles; and details about employment or qualifications. Sensitive personal information, on which the GDPR imposes special restrictions, includes information about health, political affiliation, religion, ethnicity and genetics.
The obligations of data managers
The law also places a number of obligations on data managers, the people in charge of and responsible for safeguarding and managing personal data. These include the chief data officer and the chief information officer. They are required to put in place technical, organisational and legal measures to guarantee that their organisation respects the obligations set out in the regulation. They also have to ensure the security, confidentiality and integrity of all personal data held by the organisation.
Individuals and companies carrying out processing of personal data are responsible for:
- Providing and keeping the necessary statements that all the processing is lawful.
- Recording details of the storage and processing that has been carried out on the data.
- Recording details of the origin of the data and the rationale for the processing.
- Provision of data security and control measures.
To make it easier for businesses, many data governance solution providers have added specific modules to their products to support compliance with personal data protection laws. These modules generally support:
- Search and identification of personal data in a system.
- The mapping of this data and the identification of associated processing.
- Any previous and follow-up processing on particular data.
- The application of access and use controls and data protection principles (including pseudonymisation, encryption, minimisation, anonymisation and suppression).
- Generation of dashboards on inventory, data quality and security, and regulatory compliance reports.
These solutions are designed to enable companies to manage data as an asset. They also ensure that transformation and digital intelligence projects will be governed by and comply with all the applicable standards and regulations. They are, in other words, an essential tool to manage compliance – but also a way to turn compliance into a competitive advantage.
Compliance as a competitive advantage
Excitement is not the most common reaction to any compliance-related discussion. That might be about to change with analytics-led innovation becoming more widespread. The hunt for data to train models means profiling data is becoming more critical. Compliance, when handled in a strategic manner, can, in fact, support innovation.