Aux informations 
À mon espace client
Choisir mon agence
En me connectant, j’ai accès :
Indeed, at European level, there have been several directives, not necessarily applicable by definition, so this European regulation is the first text relating to data protection that is mandatorily applicable by its member countries. However in France, since 1978 and the Loi Informatique et Libertés, several texts have followed one another before the RGPD. In force since May 25, 2018, the General Data Protection Regulation (RGPD or GDPR in English) frames the processing of personal data and concerns all organizations.
The response to the RGPD is much more than technological; it’s not enough to buy an “RGPD compliant” or “GDPR compliant” solution. Making your company compliant requires a review of all your processes and organization. The RGPD compliance approach is based on 4 components: legal, organizational, process and technological.
1- Design a pilot
As with any project, you need to appoint a project leader, who may later become the company’s DPO (or DPO).
This person will be responsible for defining all the company’s data collection and transmission processes. He or she will then receive requests from users for any data queries or deletions.
2- Mapping your personal data processing
Before implementing compliance measures, you need to take stock of your processes. To do this, you need to document your personal data processing operations, the categories of personal data processed, the purposes of each processing operation, the actors (internal or external) involved in these operations, and the data flows in order to give their origin and location (EU / non-EU).
3- Prioritize actions
First of all, you need to identify the risks associated with your processes, in order to prioritize the actions to be taken. You then create an action plan, keeping in mind the basic question: “Am I collecting only the data I need to carry out my processing operations? You also need to identify the legal basis for each processing operation, review your disclosures, contact your subcontractors, set out the procedures for exercising the rights of data subjects, and finally, check that your security measures are properly implemented.
4- Managing risks
This step requires a “Data Protection Impact Analysis” (DPIA). The aim of this assessment tool is to help build processing operations that respect privacy and therefore comply with the RGPD. In order to anticipate the potential risks and threats identified, security measures must be put in place.
5- Organize internal processes
First of all, you need to start thinking about data protection right from the start of a project, in terms of “privacy by design”. To achieve this, you need to make your staff aware of the processes you have already established. You also need to be able to deal with the ways in which people’s rights can be enforced, such as access, rectification or deletion, for example. Last but not least, you need to be able to anticipate potential data breaches.
6- Documenting compliance
Once you have implemented your action plan, you must document your entire approach in a file that includes: the processing register, the AIPD, information notices, all security procedures and measures, subcontracting contracts, and proof of consent to retain personal data.
Discover the ISI RGPD solution
The DPO’s role is not only to inform and advise employees, but also and above all to validate the compliance of processing operations and exercise ongoing control. It should be noted that the appointment of a DPO is not systematic. However, it is mandatory in 3 cases:
– Public bodies
– Organizations whose main activity involves mass data processing
– Organizations whose main activity involves the processing of sensitive data.
Contrary to popular belief, the appointment of a DPO is not compulsory for companies with 250+ employees (except for those that fall into at least one of the 3 above categories), but it is strongly recommended, depending on your sector of activity.
Whether mandatory or not, the Data Protection Officer can be either a company employee or an external service provider. If your DPO is in-house, you must ensure that he or she is fully aware of his or her rights and duties. Indeed, as the person responsible for processing personal data, he or she must be in a position to report to his or her superiors in the event of non-compliance.
The DPO is responsible for keeping the data processing register up to date, and for ensuring that the company’s personal data practices are compliant. The DPO is the evolution of the Correspondant Informatique et Libertés (CIL).
In France, the body in charge of monitoring companies’ compliance is the CNIL. And the penalties for non-compliance with the RGPD are quite high:
> Up to €10M or 2% of worldwide turnover for breaches relating to (Source CNIL) :
– Obligations incumbent on the controller and processor under Articles 8, 11, 25 to 39, 42 and 43
– Obligations incumbent on the certification body under articles 42 and 43
– Obligations incumbent on the body responsible for monitoring codes of conduct under article 41, paragraph 4.
> Up to €20 million or 4% of worldwide turnover for more serious infringements of (Source CNIL) :
– Basic principles of processing, including the conditions applicable to consent under Articles 5, 6, 7 and 9
– Rights of data subjects under articles 12 to 22
– Transfers of personal data to a recipient in a third country or to an international organization under articles 44 to 49
– Obligations under the law of the Member States adopted pursuant to Chapter IX
– Failure to comply with an injunction, temporary or definitive restriction of processing or suspension of data flows ordered by the supervisory authority under Article 58(2), or failure to grant the access provided for, in breach of Article 58(1).
However, we have found that beyond the pecuniary risk, you risk even more commercially! Indeed, if you are unable to respond favorably to your prospect’s request, he or she will become a customer of your competitor.
Personal data is information relating to an identified or identifiable living individual, the combination of which makes it possible to identify that person in particular, directly or indirectly.
There are 7 categories of personal data:
– Identity-related data (surname, first name, address, photo, date and place of birth, etc.)
– Personal data (lifestyle, consumer habits, hobbies, family situation, etc.)
– Professional data (CV, diplomas, training, position, place of work, etc.)
– Financial information (income, taxes, bank details, social rights, financial situation, etc.)
– Location data (GPS coordinates, vehicle or telephone geolocation, building badges, electronic toll collection, etc.)
– Judicial data (criminal record)
– Sensitive data.
The CNIL defines sensitive data as “information concerning racial or ethnic origin, political, philosophical or religious opinions, trade union membership, health or sex life. In principle, sensitive data can only be collected and used with the explicit consent of the individuals concerned”. This includes data relating to criminal convictions or offenses, biometric and genetic data, and the social security number (NIR).
Company exposure audit
Project management
Compliance management
The CNIL defines the processing of personal data as “any operation or set of operations concerning such data, irrespective of the process used (collection, recording, organization, storage, adaptation, modification, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, etc.)”.
A processing operation must include a purpose, be associated with the actors (internal or external) involved, and identify data flows in order to give their origin and location (EU / non-EU).
Examples of processing operations (non-exhaustive list): payroll management, online sales, video surveillance, invoicing management, customer – supplier file management, employee file management, management of purchased – rented – exchanged prospect files, invoicing and payment management, database storage, file storage (Excel, text, csv,…. ) / Storage in paper form (invoices, pay slips, etc.), Internet site – Extranet for my customers or suppliers, server logs, ERP software, business software, access management to premises (badges, time clocks, etc.), etc.
The company’s data processing operations are listed in a data processing register, which is a paper or electronic document. The register associates each processing operation with its objectives, the actors (internal or external) involved, and the data flows in order to give its origin and location (EU / non-EU).
Once all processing operations have been identified and entered in the register, the internal or external DPO validates or invalidates their compliance. In the event of non-validation, he/she provides feedback and verifies the corrective actions implemented, in order to validate the processing operation(s) in question. This is a crucial stage, since in the event of non-compliance, the DPO must inform the CNIL.
The concept of “Privacy by Design” aims to ensure that privacy management is integrated right from the start of a project.
Let’s take the example of a video surveillance system. Before installing the equipment, you need to plan for RGPD compliance measures: display the “you are being filmed” information, define how long personal data will be kept (as a reminder, a person’s photo/video is personal data), define who will have access to this data, define what procedure to apply in the event of data theft, etc.
Do you want to comply with the GDPR? Our experts are here to help you. Don’t hesitate to get in touch via this form. We’ll work with you to determine the right support for your GDPR compliance objectives.
Do you have a project in mind?
Contact our experts
Subscribe
to our newsletter
Koesio, Digital Services Company (DSC), is the n°1 partner of SMEs and local authorities for their digital projects.
Gestion & data
Infrastructure technique
Services managés
Supporte et centre de services
Financement
🚀 Prepared in seKret by web agency Marque Digitale
Laissez nous vos coordonnées ainsi que votre demande afin que nous puissions vous faire rappeler en moins de 24h ouvrées par le bon interlocuteur
