What is it?
The European General Data Protection Regulation (GDPR) came into force on May 25, 2018 and its application is uniform for all member states of the European Union.
It is directly applicable and prevails over national legislation in the event of contradiction, in particular Law 78-17 of January 6, 1978 as amended.
It confirms the principles resulting from the Directive n°95/46 of October 24, 1995, below:
- Lawfulness, loyalty and transparency of any processing
- Determination of the purpose of the processing, which must be legitimate, adequate and relevant
- Limitation of the retention period
- Data security
In essence, its main principles are as follows:
- It is based on an articulation of legal and technological means, with a view to prevent risk: the logic of accountability versus the logic of prior formalities.
- A “Privacy by design” approach is adopted, which means that respect for privacy is now at the heart of any technical development, since personal data must be secure and remain confidential.
GDPR and yourself
Who is concerned?
Any company collecting data enabling a person to be identified (email, image, date of birth, IP address, surname, first name, etc.), including in its professional activity, must comply with this new regulation.
- No prior formality of declaration of the processing of personal data to the CNIL (except in special cases: processing that creates a high risk for the rights of individuals)
- The obligation to reduce the data collected to those strictly necessary for the company’s activity (Privacy by Default)
- The reinforcement of the rights of persons whose personal data is collected with the almost systematic requirement of some form of express consent to any collection (portability and right to erasure)
- The implementation of a Data Protection Officer in certain cases
- The obligation to carry out impact studies in certain cases
- Verification of the commitments of your subcontractors, whose responsibility is reinforced and whose obligation to provide advice is recognized
- The obligation to notify any security breach within 72 hours to the regulatory authorities, the notification must indicate the nature of the breach, its consequences and the measures taken to protect the data
What does it mean?
A financial impact
The controls of the authorities will be strengthened and sanctions incurred
will be much higher than in the past: 10 to 20 million euros or 2 to 4% of the total annual worldwide turnover of the previous fiscal year.
The CNIL recommends 6 steps to comply, steps on which we are able to assist you:
- Designate a pilot
- Carry out a mapping of personal data processing
- Prioritize the actions to be taken: define the action plan with regard to the identified risks
- Manage the risk :
– Definition of internal processes
– Revision of clauses in contracts with subcontractors
– Organization of impact studies
- Organize internal processes
– Follow-up and evolution of a processing
– Change of subcontractors
– Security breach
- Document and improve the compliance
– Drafting or revision of compliance documents and follow-up (register, IT charter, etc.)
– Implementation of monitoring tools (audits, impact studies)
– Team awareness and DPO training
A project in itself
Key steps according to the CNIL
What does our assistance consist of?
Concretely, we are at your disposal to assist you in all the steps identified by the CNIL and to put you in contact with computer technicians able to test the robustness of your information systems and security means. Do not hesitate to contact us in order to meet with us to establish an estimate adapted to the size of your company and your activity.