Ensuring the compliance of processing operations involving DCP (Data of a Personal Nature) is at the heart of the day-to-day tasks of any DPO (Data Protection Officer). Experience shows that DPOs are not always well informed about the specific obligations relating to DCPM, i.e. military personal data. Yet the stakes associated with these obligations are high, and failure to comply with them can have serious consequences for organizations and their managers, including criminal prosecution.
Thanks to its Phoenix platform, and more specifically the MyDataCatalogue module, Blueway supports companies in identifying, classifying and remediating sensitive data, to ensure compliance with military personal data regulations. In this article, we explore the implications of DCPM management, the best practices to be implemented and the operational solutions available.
A particularly restrictive set of rules for DCPM
The aim of the law of June 3, 2016, which established the regulatory context applicable to DCPM (Military Personal Data), is explicit: to increase the level of protection for military personnel, within a framework falling under the need to strengthen “the fight against organized crime, terrorism and their financing”. To achieve this goal, the legislator requires the companies concerned to follow a specific procedure for processing DCPM in their systems:
- Specific declaration to the DRSD (Defense Intelligence and Security Directorate).
- Appointment of an RTD (data processing manager), a natural person belonging to the company, specifically authenticated by a DRSD zonal correspondent, and responsible for exchanges with the DRSD within the framework of the application of the system.
- The RTD is responsible for maintaining and communicating to the DRSD an exhaustive list of persons accessing or who may access Military Personnel Personal Data.
- The RTD assists the DRSD with any administrative security investigations that the DRSD carries out on persons accessing or potentially accessing Military Personal Data.
The restrictive nature of the system is perfectly assumed, since in addition to its effectiveness in achieving the desired objective, it also helps to limit the surface area of exposure to cybersecurity risks, by dissuading companies that don’t absolutely need to retain Military Personal Data from doing so. The DRSD website states quite directly that “This process is iterative, time-consuming and restrictive. If you can do away with DCPM, you are advised to delete them or remove any reference to military status”.
Who is affected by the DCPM regulatory framework?
First of all, let’s clarify what characterizes a DCPM. The text specifies that it is “data which, when read alone, enables a relationship to be established between a person, his or her status as a member of the military and one or more personal data concerning that person”. To clarify the interpretation of this wording, examples are given, such as the association of a name with a rank, or a rank with an address.
All companies in the private sector are covered by the system, including foreign companies with data processing operations in France. While the collection of customer occupation data is a relatively widespread practice in all sectors, it is all the more common among financial sector operators (banks, credit institutions, insurance companies), as this data is used to assess solvency and accident rates.
Different from the RGPD, the DCPM scheme follows its own timetable, coming into force on April 1, 2019. The decree of October 29, 2018 also defined a relatively short adaptation period, since by June 21, 2019 full compliance was expected from the companies concerned.
The penalties for non-compliance are intended to be dissuasive, involving both fines (from 100,000 to 300,000 euros) and prison sentences (from 1 to 3 years’ imprisonment). It should be noted that negligence does not exempt a company from liability.
Master Data Management : Data quality and traceability at the heart of your information system
Data cataloguing for DCPM compliance
With the exception of a few special cases (such as the management of insurance products specifically designed for the military), the application of DCPM regulations requires that data assets be desensitized to the characterization of military status.
To achieve this, the first step is to identify the zones concerned in the Information System. Inevitably, for the reasons explained above concerning the correlation between business and risk profile, DCPMs are likely to be found in the “profession” fields of applications that manage the allocation and lifecycle of financial products: home loans, consumer loans, current and savings accounts, life and non-life insurance, etc. Dozens of applications are likely to be involved, each with several tables that may include a “profession” field. Dozens of applications are probably involved, each with several tables that may include a “profession” field. Of course, this also applies to companies in all sectors of activity, from services to industry.
So far, one might say that the DPO can still deal with the subject “manually”, through exchanges with the business referents of the various applications concerned. But this is obviously not optimal, not only because it requires the availability of many players, but also because for certain legacy applications, it is to be feared that no-one has complete mastery of all the schematics of the various databases. From this mapping phase onwards, the use of an automated data cataloguing solution is therefore relevant to speed up and complete the task of listing all the tables in which a field dealing with a customer’s profession exists.
Where the use of an automated “data discovery” tool becomes absolutely essential, is when it is necessary to go to a finer level of granularity, to push investigations beyond field headings down to the content of the fields themselves. When it comes to searching for DCPM within application assets, the need can be justified for at least two reasons:
- If the technical titles of certain fields are insufficiently explicit to understand the type of data they contain: an exploratory approach to the content of the field can then be used to check whether or not it contains DCPM.
- In the case of free-format comment fields, whose content may by definition include DCPM. Note that in the context of applications designed to manage customer relations, such fields are generally used in good faith by operators to gather as much information as possible, which inevitably raises compliance issues with regard to both the RGPD and DCPM.
The need to know how to query at unit data level is also a prerequisite if you want to validate the compliance of unstructured data sources such as office directories, mail servers or shared workspaces.
For companies wishing to ensure the highest level of compliance with DCMP regulations, it is therefore essential to equip themselves with a solution which, like the Phoenix platform’s MyDataCatalogue module, is capable of mapping sources not only on the basis of their metadata, but also on the basis of the records contained in these sources.
MyDataCatalogue: a collaborative tool for remedying DCPM compliance deviations
While the ability to automatically map one’s data assets is a sine qua non for correctly and exhaustively identifying sources containing DCPM, it is not sufficient to achieve the ultimate goal, which is, of course, to bring the company into compliance. In fact, once any discrepancies due to the presence of DCPM have been identified, remediation operations will have to be carried out.
It is in this remediation capability that Phoenix’s MyDataCatalogue module once again sets itself apart from the competition, offering collaborative workflows that enable each player to intervene effectively within his or her field of responsibility:
- For unstructured data sources, a simplified portal enables each owner of sources containing DCPM to confirm his or her agreement to their deletion. Where appropriate, if there are reasons to retain certain sources, he or she will have to intervene to desensitize them with regard to DCPM regulations.
- For structured data sources, the remediation work can be automated with the solution, as long as a dedicated profession field is involved, by systematically replacing the mention of a military profession with a neutral mention such as “public official”. If the DCPM appears in a comment field, this desensitization will have to be carried out by an operator, to whom our solution can assign a notified task, with, if necessary, follow-up of the ticket to create an audit trail.
Our learning curve on the tricky subject of DCPMs also involved resolving some unexpected difficulties. One example among many is ambivalent ranks: this is the case with the word captain, “capitaine de frégate” clearly constituting a DCPM when associated with a name, whereas “capitaine d’équipe de soccer” obviously does not fall within the scope of the regulations. We have therefore had to put in place specific rules to deal with this type of exception and prevent them from generating false positives that would pollute alert systems.
You too can benefit from our expertise in bringing your company into compliance – or auditing its compliance – with DCPM regulatory requirements. Don’t hesitate to get in touch – we’d be delighted to discuss it with you!
Want to discuss your Data Catalog challenges with an expert?
