Many organizations are still in the assessment or gap analysis stage. These are the plans to build the house, a beautiful architectural sketch but no more, illustrates Thibaut De Vylder who is CEO of dFakto. « Build the foundations, mount the walls, choose colors and the moving date? No specific plan, no budgets, people assigned. Everything remains operationally vague with the completion of the assessment. With GDPR360, dFakto offers a solution to support the implementation and structuring of the necessary GDPR operations.  »

The proposition was born from a statement: In the analysis phase, organizations are most often supported by law firms for the legal framework and by cybersecurity specialists, or even GDPR consultants for the GDPR. produce assessments and DPIA (Data Protection Impact Analysis). « In short, so far we produce paper, a lot of papers”, continues Thibaut De Vylder. “And often, I find that these analyzes are not very concrete and lack granularity … To do well, by treatment, one must at least identify risks, the actions to reduce them, and allocate responsible persons and deadlines. I come back to the image of the sketch. It is not with a sketch that we will build the walls of the house in which we will live every day. You need a plan of execution and good tools to follow up on it!  »

For dFakto, the presentation of the GDPR they have seen in most seminars does not provide an answer. There are principles such as deadlines for notification or the right to be forgotten, and also about controls and sanctions, which are in fact, these new realities. Unfortunately, it is the idea of risk ​​constraint that dominates, and who, therefore freezes initiatives. However, getting in line with the GDPR can be an especially great opportunity to regain control of organisational data collection and its exploitation, to improve not only the quality of treatment, but especially its value. In this sense, the European regulation is a governance project and opportunity for proper Data Management.


GDPR is fundamentally a very scalable data management challenge. The GDPR360 solution requires an agile data approach to implement technical or organizational measures, with human responsibilities to define, apply, and verify that they are met. This is a central point of data governance because data governance is not a computer problem – far from it! And so you need an easy-to-use solution. « In GDPR360, we use various intuitive highly visual indicators, such as weather pictograms, » adds Thibaut De Vylder. The goal is to get users to adopt and register the GDPR within a continuous cycle of improvement.  »

Anomaly reports, analysis, dashboards are evaluated and re-evaluated; new tasks emerge as new risks are identified, assessed and communicated in an updated version of the DPIA(s). The evolution of the progress of the tasks and the evolution of the risks is permanent and continuous. The solution is agile and easy extensibility to other data sources and their respective compliance issues; the dynamic architecture ensures that the new features will not jeopardize what is already in production.

Following a quality assessment, the GDPR360 solution can be deployed in less than one month on the basis of a fixed price for 4 data sources (even more optional), followed by a monthly payment showing the hosting costs, license (SaaS) and support; a budget that can be shared for small businesses. In addition to companies managing personal data of their customers, suppliers … (Data Controller), dFakto has already familiarised many providers in marketing, human resources, IT services, actors in the world of associations and trustees (Data Processor). And, of course, the DPOs who can operate the solution in as-a-service mode on behalf of their own customers; they can therefore focus their activity on piloting and deploy several customers in parallel, at scale.

The GDPR360 solution is fully aligned with and complementary to the methodological recommendations of the CNIL (National Commission Informatique et Libertés) in France, the Commission for the Protection of Privacy in Belgium, the National Data Protection Commission of Luxembourg and, of course, the European Regulation.

The GDPR360 application provides a point-by-point response to GDPR requirements. For example, the requirements for mapping sensitive data, maintaining a processing register and setting up internal procedures to guarantee data protection are one of the founding principles of data governance; the priority management system to comply with present and future obligations is « covered » by the data management strategy, which consists precisely of prioritizing and focusing data management efforts; the risk management system, the privacy impact assessment and the documentation needed to prove compliance are also included by default in a data governance approach.


To hear Thibaut De Vylder, it is therefore a continuous project, the date of May 25, 2018 not being the date of arrival, but the starting point of a constant process of improvement. Also, the primary mistake would be to resort to a « stirring the nest once” method, which has only short-term impacts. In summary: you should not make each service involved in data processing think about a collection of all their systems once and compile everything to enact risk-reducing rules once, as quickly as possible … this is a limited approach. If at first glance, it may seem sufficient, it nevertheless presents many weak points: a « siloed » version of things, an “audit” to be repeated periodically (in reality, with every new treatment as it is imagined, if we want to stay in compliance), no analysis of the impact of these changes on the operational data flow and therefore a real difficulty to carry out impact studies on privacy … At the end, the possibility -without doubt you will be « in the nails » of the European regulation, but at the cost of significant effort in the case of a manual treatment without the least return on investment expected from this tedious building site approach. Worse: the “repeated audit” approach risks « sterilizing » the company’s data strategy. And it misses the principle of « GDPR by design » …


Data governance is not just another way to get ready on May 25, 2018. Its benefits extend well beyond the scope of the new EU Data Protection Regulation. Joining this approach will enable organizations to adopt an evolutionary approach to the exploitation of personal data. In case of new regulatory developments, it is important to have a sound basis « in the knowledge of personal data, tools and methods” to comply smoothly. No need in the future to start identifying personal data, their location, their path in the systems. It’s already done, and kept up to date by design by data governance.

Good governance also helps to instil a true « data culture » into the company and especially to make it leave the sphere of influence of IT. « A data governance deployment is considered successful if everyone’s behavior becomes natural and virtuous with respect to data, » says Thibaut De Vylder. This is of course not just in relation to personal data. Corollary: there is more to data management than  having a DPO on one side playing ‘Mr Compliance’ and on the other side, departments that use data in their own isolated way… but we need empowered users, ‘data citizens ‘at the service of their organization by using, on the one hand, the data in a more efficient way (simplification of the treatments, automation manual work, reduction of the costs …) and, on the other, by allowing them to grasp more easily new opportunities for using data in a digital world (impact on sales, revenues, co-creation of new products and services …).


Data governance is a subject in which dFakto has excelled for 17 years. In addition to GDPR360, which responds to GDPR’s post-audit implementation and day-to-day operational challenges, the same application principles that exist in GDPR360 can also handle other types of compliance such as ISO27001, ePrivacy, and more. With the same principle, dFakto has also developed Transformation360, a globally recognized management solution for managing and analyzing complex program and project portfolios, and Client360, which provides a complete ‘client-centric’ view of truth about the customers. « We are a specialist in piloting cross-functional initiatives in large institutions like BNP Paribas Groupe, with more than 15 major programs run in parallel, some of which have more than 3,400 projects and 1,200 programs monitored at high frequency », insists Thibaut De Vylder.


With its GDPR360 capability, dFakto offers a real solution to companies both as data controller (Customer) and data processor (Supplier, we think for example non-compliant software publishers), both of which have inherited new rights and obligations, at both Supervising Authorities and Data Subjects. Thus all the providers who manage private data on behalf of a customer can assume their responsibility in accordance with the legislation and also offer this assurance to their customers. In order to be compliant themselves, many customers are currently verifying the compliance of their subcontractors, and this solution makes it possible to manage several data sources for both parties, even distributed or relocated.


Starting from this new legislation, different types of actors have been profiled to meet the first needs of assessment and dFakto is producing a wider ecosystem, an end-to-end solution, bringing together several complementary quality players. dFakto offers its solution to its customers both directly and indirectly via resellers, either in its name or in white label. For small businesses, a mode of mutual-use of the implementation is also possible. Finally, the DPOs are not left behind since the proposed technology allows them to consider themselves as « Augmented DPO », allowing them to manage their customers more effectively by providing them with additional added value in terms of reducing the cost of managing their customers’ conformity.

Source: Thibaut De Vylder interviewed by Alain de Fooz translated from https://www.solutions-magazine.com/dfakto-gdpr360-anticipe-gdpr/