Bureau Veritas’ Position paper on personal data use


More data equals less trust

The experts were right: data is the new oil of the 21st century. All of today’s innovative services use our “digital footprint” as fuel to create value. And it’s a deep reservoir: opportunities to collect data — from web browsing to geolocation, payments, connected objects and more — are multiplying. And the data is increasingly sophisticated, tracking who you are, what you’re doing and your plans.


But as with oil, there are two fears: leaks and theft, or misuse. Data leaks have mushroomed in the last several years. And people are increasingly concerned that their data will be used without their consent. Big data has barely gotten off the ground and already it worries people.

Consumers and businesses caught up in a paradox

A closer look shows that both consumers and businesses are caught in a paradox. Consumers essentially admit that: “Here’s my data, but I’m concerned.” They share their data with brands, government agencies and social networks fully aware of the advantages, such as customized browsing and free content. So there’s a kind of tacit consent. Yet 80 to 90% worry about protecting their data: they fear identity theft and bank hacks (75 et 77%), being inundated with ads and being unable to erase their data (87 et 85%). Although they accept the immediate benefits, in hindsight they’re troubled by the quid pro quo.


The paradox for businesses is that everyone collects data, but no one does it perfectly. The acquisition of data has become massive and businesses are already spending $130 billion to analyze it. But the volumes are so huge that most of it is stored with no specific purpose in mind. It will generate value, that’s a given, but the collectors don’t yet know when or how. And that’s what worries people. Especially since the chain of involvement, from marketers protective of their brand image to data crunchers who reserve the right to use the data in the future, is a diverse one. As a result, all businesses are suspect, from major retailers to pure players on the web.

All businesses have an interest in being transparent

To restore trust, IT departments have long since secured their data servers, even though leaks always remain possible. Institutions have also grappled with the topic, in the United States, where the Consumer Privacy Bill of Rights is being examined, and in the European Union, where the new General Data Protection Regulation

was adopted in April. The GDPR gives individuals more control over their own data, including the right to erasure, also known as the right to be forgotten, and portability. But regulation by its nature tends to lag practices and innovation. And consumers will never view basic regulatory compliance as anything more than a “bare minimum” or baseline: businesses won’t score points for it and it won’t restore trust. They must go further and practice total transparency.


Apart from a handful of big companies that have published ethics charters or guidelines, businesses remain timid, offering minimal privacy policies and well-hidden data control options. They’re afraid to publicize their engagement too strongly and then come up short. Or lose the option to monetize personal data in the future.


Data protection must be designed into products and services from day one while specifying how the data may be used. That’s what “Privacy by Design” calls for. The European Union’s new GDPR has even made it an obligation, in the form of “Privacy by Default.” Businesses must create a real Chief Data Officer position, with a strategy for managing personal data, new ethics processes and a capacity to convert both internal personnel and contractors.

Independent certifications is the only way to restore trust

To put the issue to rest for consumers, the process must be made public. In a word, certified. The European Union GDPR itself encourages certification, so that consumers can “quickly assess the level of data protection” provided.


Certification is insurance, used by the public, customers and partners to decide whether to continue placing their trust in businesses. Its credibility is established by the market and it is easy to understand, open-ended, deployable internationally and designed to communicate via a label.


To be practical, several levels of privacy certification will have to be awarded:

  • Privacy Checked/Privacy by Design certification, which guarantees that a product or service has been designed from the outset to protect personal data, without having to redo the entire IT architecture. This level is more accessible for some businesses.
  • Governance certification, which will focus on overall data management, without requiring technical audits of resources, and create an international label.
  • A European Union regulation (RGPD) certification, awarded based on a guideline derived from the official text.


The best choice to award data privacy certification is a trusted independent third party. There are scores of private or institution-backed certifications, which are based on regional regulations.

Only a trusted independant third party, such as Bureau Veritas, will bring impartiality, an unblemished reputation, the credibility of a business expert, proven analytical processes and, most of all, the ability to support the label.


Bureau Veritas is launching certification solutions that can be tailored to the needs of industry in all sectors, so that businesses can carry out their own digital transition securely. Bureau Veritas has more than 180 years of experience helping industry with transparency initiatives. With a B2B and B2C brand recognized worldwide, Bureau Veritas is the benchmark certification organization for data governance. Today we are helping to establish privacy as a major opportunity for businesses astute enough to seize it.