GDPR compliance goes far beyond the technological aspect - it is not about buying one particular solution in order to comply. Company compliance requires conducting a review of all of your processes and your organisation as a whole. GDPR compliance is comprised of 4 aspects: legal, organisational, processes and technology.
1 - Appointing a coordinator
As is the case with any project, you must appoint a coordinator, who may then subsequently be the company’s DPO. This individual will be responsible for determining every process used by the company for the collection and transmission of data. They will subsequently be sent requests from users regarding any questions they may have or for data to be deleted.
2 - Mapping your personal data processes
Prior to implementing measures aimed at meeting compliance, you must first carry out an evaluation of your processes. This will involve documenting your processing of personal data, the categories of personal data which you process, the purposes for this processing, the individuals (internal or external) involved in this processing, and data flows in order to determine origin and location (EU/non-EU).
3 - Determine which measures are a priority
Before anything else, you must identify risks linked to your processes in order to determine which measures are a priority. You will then create a plan of action, using the following question as a framework: “Am I only gathering data required for processing purposes?” You also have to identify the legal framework for each type of processing, review your mentions of information, contact your subcontractors, outline how individuals may exercise their rights and, finally, ensure that your security measures have been correctly applied.
4 - Risk management
This requires a data protection impact assessment (DPIA). The purpose of this evaluation tool is to devise methods of processing which respect privacy and which are therefore GDPR-compliant. Security measures must be put in place in order to anticipate any potential risks or threats which may have been identified.
5 - Organising internal processes
Consideration must be given to data protection from the very outset of a project - this is what’s known as “privacy by design”. This will involve familiarising your employees with the processes you previously devised. You must also cover how individuals are able to exercise their rights (the right to access data, the right to have it rectified/erased, etc.) Finally, you must have the capacity to anticipate any potential data breaches.
6 - Documenting compliance
Once you have deployed your plan of action, you must document your strategy in a dossier including: a record of processing activities, your DPIA, mentions of information, all of the security measures and procedures, subcontracting agreements, proof of consent for the retention of personal data.
Find out more about our ISI GDPR solution
DPOs are responsible for informing and advising employees, in addition to their most important duties: ensuring that processing is compliant and carrying out continuous monitoring. Not all companies employ a DPO. But there are 3 cases where employing one is mandatory:
- Public bodies
- Organisations whose primary purpose is the processing of large quantities of data
- Organisations whose primary purpose is the processing of sensitive data
Contrary to what some people might think, companies with more than 250 employees are not required to employ a DPO (unless they fall into one of the 3 categories outlined above), but it is strongly recommended that they do, particularly in certain sectors.
Whether mandatory or otherwise, Data Protection Officers can either be company employees or external service providers. If your DPO is internal, you must ensure that they are fully aware of their rights and responsibilities. In their role as data protection officer, they must be capable of reporting those above them in the company hierarchy should they fail to comply.
DPOs are responsible for ensuring that records of processing activities are kept up to date and that the company meets its obligations with regard to personal data. The role of DPO replaces the role of IT and Liberties Representative.
The body responsible for ensuring companies in France meet compliance is the CNIL. Sanctions for failing to comply with the GDPR are quite severe:
> Up to €10 m or 2% of overall turnover for violations relating to (Source: CNIL):
- Obligations which the data controller and subcontractor must uphold in accordance with articles 8, 11, 25 to 39, 42 and 43
- Obligations which the certifying body must uphold in accordance with articles 42 and 43
- Obligations which the body tasked with monitoring codes of conduct must uphold in accordance with article 41, paragraph 4.
> Up to €20 m or 4 % of overall turnover for more serious violations relating to (Source: CNIL):
- The basic principles of processing, including conditions applicable to consent, in accordance with articles 5, 6, 7 and 9
- The rights of individuals, in accordance with articles 12 to 22
- The sending of personal data to a recipient in a third country or to an international organisation, in accordance with articles 44 to 49
- Obligations under the terms of laws in member states, adopted in accordance with chapter IX
- Failure to adhere to an injunction, a temporary or permanent limitation on processing or a suspension of data flows ordered by the supervisory authority in accordance with article 58, paragraph 2; or failure to grant access allowed for in accordance with article 58, paragraph 1.
We have noted, however, that on top of financial penalties, the commercial risks are more serious. If you are unable to provide a satisfactory response to a request from a potential client, then they will go with one of your competitors.
Personal data is considered as being information relating to an identified or identifiable living person, which could be used to identify this person, either directly or indirectly: There are 7 categories of personal data:
- Data relating to their identity (full name, address, photo, date and place of birth, etc.)
- Data relating to their personal life (habits, consumption, hobbies, family circumstances, etc.)
- Data relating to their professional life (CV, degrees, education, job title, workplace, etc.)
- Financial information (income, tax, bank details, social rights, financial situation, etc.)
- Data on location (GPS coordinates, vehicle or phone geolocation, building access cards, electronic toll collection, etc.)
- Legal data (criminal record) - Sensitive data.
The CNIL defines sensitive data as “information relating to a person’s racial or ethnic origins; their political, philosophical or religious beliefs; their membership of a trade union; their health; or their sexuality. In principle, sensitive data may only be collected and processed with an individual’s explicit consent.” To this we can add data relating to an individual's criminal record, biometric or genetic data, or their social security/national insurance number.
Company exposure audit
The CNIL defines the processing of personal data as “any operation or set of operations regarding such data, irrespective of the process used (gathering, recording, organising, retaining, adapting, modifying, extracting, consulting, using, sharing, transmission, distribution or any other form of provision, reconciliation or interconnection, locking, erasure or destruction, etc.)”.
Processing must have a purpose, must relate to the individuals (whether internal or external) engaged in it, and must identify data flows in order to determine origin and location (EU/non-EU).
The following is a non-exhaustive list of examples of processing: payroll management, online sales, video surveillance, invoice management, handling client - supplier files, managing employee files, managing files on prospects that have been bought - rented - exchanged, invoicing and payments, database storage, file storage (Excel, text, csv, etc.) / Storage in paper format (invoices, payslips, etc.), internet - extranet sites for clients or suppliers, server logs, enterprise resource management, business software, access management (cards, time clocks), etc.
Companies are to log all processing in a record of processing activities, either on paper or electronically. For each instance of processing, this record will outline its purpose, the individuals (whether internal or external) engaged in it, and the data flows in order to determine origin and location (EU/non-EU).
Once all of the instances of processing have been identified and recorded, the DPO - whether internal or external - will check to ensure that they are compliant. In the event of one being found not to be compliant, the DPO will provide feedback and verify the corrective measures taken in order to allow it to be validated. This is a very important stage - the DPO must identify the CNIL should they become aware of a compliance issue.
“Privacy by Design” is aimed at ensuring that privacy is incorporated into a project from the outset. Let’s look at the example of a video surveillance system. Before the equipment is installed, you must allow for GDPR compliance measures: displaying the information “you are being filmed”, determining how long personal data will be retained (a photo/video of an individual is personal data), specifying who is to have access to this data, outlining the procedure to be applied in the event of data theft, etc.
You want to comply with the RGPD? Our experts are here to help you in your approach. Do not hesitate to contact us via this form. We will determine with you the support adapted to your RGPD compliance objectives.
Where are we?
En me connectant, j’ai accès :
de mon agence
À mon espace client