Tchérylène Mairet is AGS RM’s leading Data Protection Officer. Her goal is to achieve a balance between support for customer operations and the demands of privacy regulations.
Having got to grips with the General Data Protection Regulation (GDPR) in 2017, compliance was her “state of mind” before it became her job. Since then, her mission has been to eradicate the risks companies face when it comes to data protection.
Tchérylène joined AGS RM in October 2021 as a Data Protection Officer (DPO) and works relentlessly to improve business processes, both for AGS RM and for a large portfolio of the company’s clients from the health, social housing and pension fund sectors.
Pointing out possible risks of non-compliance
As a graduate of the Conservatoire National des Arts et Métiers in Paris, she holds a CNIL certification. In France, the CNIL is a compliance tool to meet the needs of professionals who wish to communicate the level of data protection offered by their products, services, processes or data systems. It is an important “guarantee” for the clients, Tchérylène advises. “I point out the possible risks of non-compliance, what needs to be changed, and what needs to be improved,” she explains.
Although the CNIL only has the power to make recommendations, it works in companies’ best interests. Because beyond CNIL sanctions, a formal notice could damage the customer’s reputation and is therefore best avoided.
With each new client, Tchérylène conducts a start-up audit to understand the current situation the company finds itself in. Due to the intrusive nature of this phase, she admits there are some tense moments. “But it’s an opportunity for me to introduce myself and build confidence with the client. I tell them I’m not here to rap them over the kuckles, I’m here to help.” Reporting directly to the process manager, often the company’s director, she also meets with representatives of each department.
Constantly on the lookout for non-compliance
Together with company employees, she visits the premises and notes what could be a risk of non-compliance. “I usually start observing in the parking lot,” she explains. Constantly on the lookout, she observes everything: surveillance cameras, physical security measures, documents that might have been forgotten in the photocopier, even closets left open. “I’m looking for anything that could threaten the confidentiality of the data,” she says.
The audits usually take three days. Once complete, she writes a report with recommendations and assessments of non-compliance. The major risks need to be addressed as soon as possible, as the risk of a breach of privacy is high. For medium and low risks, the company must draft an action plan to neutralise them.
Failures in physical records management
Non-compliance often results from failures in records management. For example, retention periods are not always regulated by law but can be determined. In addition, storage conditions for physical or digital records should include measures to ensure data confidentiality and security. Any shortcomings in these 2 pillars of the GDPR will result in failed regulatory audits in certain sectors. Tchérylène notes that more and more companies are turning to outside providers, such as AGS RM, to take care of their physical records. Above all they are seeking advice on retention periods.
On a day-to-day basis, she builds and maintains compliance documentation, responds to data subjects who want to exercise their rights, and conducts impact analyses. She also provides legal and operational advice to companies by raising awareness and training employees on the risks associated with personal data. “Customers are afraid of the GDPR, but I try to convey the spirit of the regulation and interest them in all aspects of respecting people’s privacy.”
Schedule a start-up audit with AGS RM‘s Data Protection Officer, to ensure your company is compliant with GDPR regulations.