Are you GDPR compliant? More than two years after the GDPR's implementation, many companies are late in integrating these new requirements on data protection into their projects.
GDPR Compliance: What is personal data?
Personal data is a very large set of data that, individually or combined, can isolate a person from a group**. It is present in all your information systems and includes:
- contact details (last name, first name, postal or e-mail address, telephone number)
- data with a high impact on private life (HR data, geolocation data)
- sensitive data (health status, political or religious opinions, sexual orientation, social security number)
Appointing a DPO to ensure GDPR compliance
GDPR compliance concerns all your departments and activities as soon as personal data is processed. For more efficiency, this project should be coordinated by a person in charge.
In some cases, the appointment of a dedicated function, a Data Protection Officer (DPO), is even mandatory. This is the case, for example, for local authorities or for certain technology companies.
Identify the data processing operations subject to the GDPR
Have you carried out an inventory of your databases?
Personal data can take many forms, structured (text files, databases) or unstructured (contracts, free comment fields).
You must therefore create a register describing the data processing carried out. Each record centralizes the main characteristics of each process: What data are processed? For what purposes? Who is the recipient of the data? How long are they kept? Etc.
This inventory will allow you to evaluate the risks of GDPR compliance. You will be then able to prioritize your efforts on the most sensitive projects.
With the GDPR, achieve more transparency and consent
You probably process the data of prospects, customers, suppliers, employees or partners.
Even more than before, you will have to be transparent about the way data is processed. This will lead you to create various informational materials and to review existing ones, for instance:
- information at the bottom of data collection forms
- employee information notices
You will also need to review your user experience to ensure that consent is obtained. This can be done in various ways:
- check boxes on forms to authorize prospecting operations
- oral solicitation of consent by customer advisors
- consent request interface for the deposit of cookies
If you process sensitive data, you will also need to collect specific consent.