Hugo Salard

Context: Structuring and industrializing GDPR compliance management for a mutual insurance group handling health data (GDPR Article 9).

• Managed the GDPR data management tool tender: drafted specifications, defined evaluation criteria, interviewed vendors, negotiated contracts, and selected DASTRA.

• Designed the company-wide deployment project: steering committees (COPIL, COPROJ), project scope, multi-year roadmap, identification and onboarding of key stakeholders (DPO, IT, business units, legal).

• Implemented and deployed SSO in conjunction with the IT department: access architecture, roles and permissions governance, compliance with group security requirements.

• Managed and monitored the implementation of the three core modules (Record of Processing Activities, Data Subject Requests, Data Breaches): configuration, testing, user training, change management.

Results:

• Successful tool migration: over 30 employees trained (DPOs, business privacy representatives, legal).

• Over 250 data processing activities migrated and structured in the new record.

• Industrialized processing of data subject requests and breaches: centralized management, auditable traceability, controlled deadlines.

• Overall optimization of GDPR compliance management: +30% efficiency (ROI).

Context: End-to-end redesign of a mutual insurance group's marketing consent system, covering a large, multi-channel contact base, with strict alignment to CNIL guidelines on commercial prospecting.

• Legal redesign of communication purposes: analysis of legal bases (GDPR Article 6), redefinition of the multi-channel consent process (email, SMS, push, mail), alignment with CNIL recommendations on consent and commercial prospecting.

• Operational implementation within the IT system (CRM - API - Didomi): design of data flows between group CRM, API layer, and Didomi CMP, management of consent proofs, traceability of user choices and reversibility.

• Change management: onboarding of marketing, compliance, and IT departments, arbitration of conflicts between legal requirements and operational business needs.

• Operational deployment and team training: migration plan, functional testing, post-production support, training of marketing and CRM teams on new purposes.

Results:

• 8 new communication purposes structured, documented, and translated in the CMP.

• Migration of consent for over 10 million contact records, without service interruption.

• Compliance of the commercial prospecting system with GDPR and CNIL guidelines.

Context: Management of the "paper archives" component of a large personal data purge program (digital + paper) for AESIO Mutuelle, covering HR and finance departments, deployed across the group's entire real estate portfolio.

• Design of the group's Archiving Policy: retention rules, purge procedures, destruction traceability, alignment with sectoral legal obligations (Mutual Insurance Code, labor law, accounting and tax obligations).

• Update of the data retention framework: exhaustive review by document type, legal validation, formalization into an operational framework for business units.

• Operational coordination of the purge across 38 sites: planning, logistical organization, coordination with archiving and certified destruction providers.

• Project management and steering committees: tracking progress indicators, facilitating steering and technical committees, reporting to the compliance department.

Results:

• 10 km of paper archives purged in accordance with the group's framework.

• Archiving policy adopted and deployed across all HR and finance departments.

• Data retention framework updated and enforceable by business units.

• Reduction of GDPR risks (Article 5.1.e, retention limitation) and physical archiving costs.