Are you GDPR compliant? More than two years after the GDPR's implementation, many companies are late in integrating these new requirements on data protection into their projects.
GDPR Compliance: What is personal data?
Personal data is a very large set of data that, individually or combined, can isolate a person from a group**. It is present in all your information systems and includes:
- contact details (last name, first name, postal or e-mail address, telephone number)
- data with a high impact on private life (HR data, geolocation data)
- sensitive data (health status, political or religious opinions, sexual orientation, social security number)
Appointing a DPO to ensure GDPR compliance
GDPR compliance concerns all your departments and activities as soon as personal data is processed. For more efficiency, this project should be coordinated by a person in charge.
In some cases, the appointment of a dedicated function, a Data Protection Officer (DPO), is even mandatory. This is the case, for example, for local authorities or for certain technology companies.
Identify the data processing operations subject to the GDPR
Have you carried out an inventory of your databases?
Personal data can take many forms, structured (text files, databases) or unstructured (contracts, free comment fields).
You must therefore create a register describing the data processing carried out. Each record centralizes the main characteristics of each process: What data are processed? For what purposes? Who is the recipient of the data? How long are they kept? Etc.
This inventory will allow you to evaluate the risks of GDPR compliance. You will be then able to prioritize your efforts on the most sensitive projects.
With the GDPR, achieve more transparency and consent
You probably process the data of prospects, customers, suppliers, employees or partners.
Even more than before, you will have to be transparent about the way data is processed. This will lead you to create various informational materials and to review existing ones, for instance:
- information at the bottom of data collection forms
- employee information notices
You will also need to review your user experience to ensure that consent is obtained. This can be done in various ways:
- check boxes on forms to authorize prospecting operations
- oral solicitation of consent by customer advisors
- consent request interface for the deposit of cookies
If you process sensitive data, you will also need to collect specific consent.
Accountability and privacy by design, the key concepts of GDPR compliance
The GDPR currently imposes global compliance of data processing. It is based on three key concepts:
- Accountability: Access restriction, limitation of data fields and purposes, automatic purges, etc. Implement in your tools the adequate measures in terms of data protection and security.
- Privacy by design: Integrate these measures as early as possible, from the design phase of your new projects or when you make structural changes to your tools. This will help you control your costs and your schedule.
- Privacy by default: Do not collect unnecessary data. Restrict the collection fields of your forms, set up your tools correctly so as not to collect more than necessary.
Your most structural projects should be subject to a data protection impact analysis (DPIA). This will allow you to determine more precisely the measures to be integrated into the project.
Check the GDPR compliance of suppliers
- Your company is responsible for the data processing carried out internally by your employees but also externally by your suppliers and subcontractors.
You must therefore:
- verify their adherence to the GDPR
- sign additional agreements to ensure the protection of personal data
- sign specific agreements in case of data transfers outside the European Union (such as if the processor is based in Morocco or transfers data to its data to its parent company in the United States).
Taking charge of your GDPR rights
The people whose data you process may ask you to, among other things:
- to communicate to them the data that you have
- to rectify or delete it
- to stop processing their data, for example by unsubscribing to newsletters or prospecting databases
The handling of these requests must concern all the databases storing data. This is why a GDPR compliance plan requires the development of procedures describing the steps to follow for each type of request. Correct handling of requests is essential to avoid the CNIL (Commission nationale de l'informatique et des libertés) being approached with complaints against your company.
IT security, a pillar of GDPR compliance
Ensuring the security of databases is important, especially those containing personal data. Therefore, you will need to establish a plan with appropriate measures for each IT layer of your infrastructure. IT security is the foundation of your GDPR compliance.
One of your databases has been hacked? An employee has sent a data file by email by mistake? Your customers' quotes and invoices are accessible online? All these data breaches must be notified to the CNIL within 72 hours. This requires another procedure covering detection of the breach, minimization of the damage and notification. You may also need to inform the individuals affected by the breach.
Get the tools you need to comply with GDPR
The GDPR applies consistent regulation. The integration of these requirements in your activities will require a sustained effort that will have to be carried by the internal sponsor with the approval of the concerned departments.
You can rely on many resources, such as natural language recognition, and on tools to automate certain repetitive tasks. This will lighten the task of both your Data Protection Officer and your business teams, all the while ensuring a better optimization of your GDPR compliance.