CLIENT TESTIMONIAL
Damien Montalan,
Information Systems Director at SATA Group
"I really appreciated the compliance process. During our initial discussions, David came up with a ready-to-use template. This gave us a basic corpus, which he was then able to adapt to our specific needs. I felt confident straight away, because I knew that CyberSecura had mastered the subject."
1- Could you briefly introduce yourself: your company, your position and your responsibilities?
​
"I'm Damien Montalan, Information Systems Director at SATA Group. SATA Group is a ski area operator in the Oisans region (Isère + Hautes-Alpes). Founded in 1959, SATA operates its historic site at l'Alpe d'Huez, the site at La Grave since 2017, and the site at Les 2 Alpes since 2020, under Public Service Delegation contracts.
​
My main job is to define and manage the SATA group's IS strategy, and to ensure the consistency of the IT tools and systems used on a daily basis by our teams. I'm also responsible for deploying and securing networks, and maintaining our infrastructure and the applications needed to run the company in operational condition.
​
The scope of the IT Department's work in our ski resorts is very broad: from sales to grooming monitoring, not forgetting the slope and ski lift operating registers, all the company's processes are computerised. As a result, we work with all the company's business units."
​
2- For what type of need did you call on CyberSecura? What was the trigger?
​
"When the GDPR came into force, I found myself, like many CIOs in SMEs, parachuted in as DPO.
It very quickly became clear to me that knowledge of our IS and internal processes alone was not enough to meet the challenges of the GDPR. We also needed specific legal knowledge, which we didn't have the critical mass to bring in-house.
​
So I set out to find an external company that could provide us with expertise on the subject, if possible on a human scale and close to home.
​
We started working with CyberSecura in 2020. The initial idea was to carry out an assessment that would serve as the basis for an GDPR compliance mission. But I quickly realised that this mission had to be a long-term one if it was to be truly effective. That's why we delegated the DPO role to CyberSecura."
​
3- Why did you choose to entrust these missions to CyberSecura rather than to someone else?
​
"I came to know CyberSecura through an acquaintance that David and I had in common. We hit it off straight away.
​
The fact that we were close to each other was a decisive factor for me. On a human level, first of all: we're used to forging strong, long-term partnerships with our service providers, and that works much more naturally with structures the size of CyberSecura. Geographical proximity: you are based in Grenoble, and it makes sense for us to work with local service providers.
​
Finally, David has very quickly created a network in the mountain ecosystem, and that makes a lot of sense for us. I know, for example, that he works with the 2 Alpes Tourist Office. It makes things a lot smoother to have a single point of contact."
​
4- Did you have any fears before setting up the project?
​
"I didn't really have any fears as such. On the other hand, I knew that there was a risk of dissonance between what the GDPR required of us, what certain specific laws said, and what we were able to achieve in the field.
The challenge was therefore to position the cursor in the right place, so that we could continue to work smoothly while remaining within the regulatory framework."
​
5- In your opinion, what are the challenges facing your business today?
​
"In my opinion, there are several.
​
The first challenge for us is to strike a balance between the constant need to canvass customers and the need to comply with the GDPR regulations. This has forced us to review some of our marketing processes in particular. We have also gradually learned to take the GDPR into account right from the design phase of our projects.
​
We also have a challenge with certain software publishers: some solutions are not yet fully compliant with the GDPR. So we have to work with the publishers to move towards compliance, which takes a lot of time.
Next, I'd like to mention the grey areas or grey areas that sometimes exist. It can happen that things are not as clear-cut as described in the texts. In some cases, certain laws even contradict the GDPR. We need to take a step back and use our judgement to find the right answer. We need case law on these issues to know where to put the cursors.
​
Finally, we mustn't lose sight of the fact that a ski resort is a complex ecosystem in which many players interact. When a customer comes to Alpe d'Huez, Les 2 Alpes or La Grave, they are not just buying a ski pass from SATA: they are also renting accommodation, skis, signing up for events, going to restaurants and so on. So they share their personal data with operators who are independent of each other, but who share the same territorial logic and the same ambition: to provide customers with an experience that makes them want to come back. In this respect, we need to aggregate, cross-reference and share data to gain a complete understanding of our customers. But the GDPR makes this a very complex exercise".
​
6- How would you describe the work carried out by CyberSecura and its team, in just a few words?
"The first adjective that comes to mind is 'proximity'. It's very important for me to have this proximity, both human and geographical, because it makes the difference between a simple service and a real partnership.
I would also talk about transparency and trust. You can't work on these issues without trust and transparency."
​
7- What are the results of this collaboration?
​
"Since 2020, SATA has been in a period of very sustained growth, with the resumption of operations at the Les 2 Alpes site and the reintegration of the Oz and Vaujany sites. We had to deal with the COVID (operating ban during the winter of 20-21) and its consequences (supply difficulties, etc), as well as the energy crisis. It wasn't easy to make room for the GDPR in the midst of all this!
​
Without outsourcing the role of DPO to Cybersecura, we clearly wouldn't have been able to move forward.
CyberSecura directly handles and processes all requests from our customers to exercise their data protection rights. This saves us time and efficiency, and reassures us, since we are certain of meeting this regulatory obligation.
​
We are also making progress on producing and keeping up to date the documents we need to comply with the GDPR. This is a long-term project, which we clearly couldn't do without CyberSecura. Although everything is not yet perfect, we know that we are heading in the right direction, and that we would be able to prove our good faith and seriousness in our desire to be compliant in the event of an inspection by the CNIL."
​
8- What did you appreciate the most in the solution provided by CyberSecura?
"I really appreciated the compliance process. During our initial discussions, David came up with a ready-to-use template. This gave us a basic corpus, which he was then able to adapt to our specific needs. I felt confident straight away, because I knew that CyberSecura had mastered the subject."
​
​
​
9- Conversely, were there any elements that you missed, any solutions that you didn't find in our offerings? How could we have improved?
​
"It's a bit difficult to answer this question... Our approach is one of partnership, co-construction and continuous improvement.
Since we started working with CyberSecura, we've changed the mission several times to adapt or readapt it to our context. So there are no gaps as such, but rather an ongoing desire and need to support the evolution of our business.
Some organisations were working at the start of the assignment, but had to be reviewed afterwards; we sometimes got things wrong and had to put things right. In the end, what counts is this agility, all the more so in the context of SATA's strong growth."
​
​
10- What advice would you give to companies facing the same problem / having the same project as you?
"I'd start by doing the opposite of what we set out to do in the first place, which was to try and tackle the subject on our own! I think that, from the outset, we should have brought in someone from outside. We'd probably have wasted a lot less time, and gained in efficiency."
​
​
11- Would you recommend CyberSecura to others? Yes / No, for what reason(s)?
​
"Of course! Once again, because of the size of the structure, the seriousness and the quality of the human relations that we maintain, which means that CyberSecura is not a service provider, but a partner.
It's this notion of partnership that makes the difference for me. The action plan we work on with David is not drawn up over 6 months or 1 year. We work on a 3 to 5 year plan, because quality support on these kinds of issues can only be provided over the long term."
All CyberSecura's team thanks Damien Montalan for his testimonial!​
​
If necessary, we can put you in touch with a SATA Group representative so that you can ask all your questions about our services.