Entering into force on May 25, 2018, the General Data Protection Regulation or GDPR strengthens the responsibility of organizations, and therefore the rights of EU citizens, to protect their data to the fullest extent possible. Thus, any company and association from one of the 28 Member States, as well as those from outside the EU collecting and processing data of European residents, must be able to prove their compliance at any time.
RGPD, key principles
Any website affected by the GDPR has an obligation to clearly indicate to its visitors the reasons why :
- It collects its data,
- How this data will be used,
- How long they will be kept,
- The third parties who will access it
The right of users
All users must have the right to access their data (form, email address, mail…). One of the best known examples is Apple, which allows Internet users to download all the data the company has on them. Let’s also talk about :
- The right to be forgotten (e.g.: embarrassing photo or information),
- The right to erasure (when unsubscribing from a site)
- Deferencing on a search engine.
- The right to portability, which allows, once his personal data recovered, to transmit them to another site
Companies are responsible for two main elements: the data they collect and the data they pass on to subcontractors. However, there is a safety net: these companies must at all times be able to prove that they are selective in what data they collect or discard and that they are able to protect their customers’ data.
If the data has been hacked or distributed by a third party, the company has 72 hours to report this to the owners of the information in question, as well as to the relevant authorities.
Any company that fails to comply with these obligations can be sanctioned (up to 20 million euros or 4% of turnover), provided, of course, that it is reported to the Commission nationale de l’informatique et des libertés (CNIL in France).
Implementation of the RGPD within companies
The CNIL (Commission Nationale de l’Informatique et des Libertés) divides the implementation of the General Data Protection Regulation into 6 stages:
Step 1 – Appointment of the Data Protection Officer
The Data Protection Officer is responsible for leading the governance of personal data in any organization. This delegate is responsible for providing information, advice and internal control.
Step 2 – Mapping the processing of personal data
This step consists of the company taking a very precise inventory of the methodology in place to process personal data. To do this, a register of processing must be drawn up, which includes the following information(Article 30 of the RGPD):
- Who are the stakeholders involved in data processing?
- What categories of data are processed?
- What is the purpose of this data?
- Who has access to this information and to whom is it disclosed?
- How long should they be kept?
- How are they secured?
Step 3 – Priority of actions to be taken
Based on the register of personal data processing, the company is now able to identify the actions to be taken to comply with the RGPD. Once this is done, it must prioritize the actions to be taken in order to secure the processing of the rights and freedoms of data owners.
Step 4 – Risk Management
If certain personal data processing operations are likely to result in high risks to the rights and freedoms of data subjects, the company must conduct a data protection impact assessment (DPA) for each of these highlighted processing operations.
Step 5 – Organization of internal processes
For a sustainable and high level of data protection, the implementation of internal procedures ensures that data protection is taken into account at all times. To do this, the procedures must take into account all the events likely to occur during the life of a processing operation (e.g. security breach, management of rectification or access requests, modification of the data collected, change of service provider).
Step 6 – Compliance Documentation
In order to demonstrate compliance with the regulation, the company must compile and consolidate the necessary documentation. The actions and documents taken at each stage should be reviewed and updated regularly to ensure ongoing data protection.
What about non-EU companies collecting and processing data from EU residents?
Any company that manages the personal data of EU citizens is legally obliged to have a register of processing. However, SMEs with fewer than 250 employees may benefit from an exemption, in particular by registering data processed on an occasional basis and relating to payroll management, customers, suppliers or prospective customers, etc.
Attention: if the processing operations involve a risk to the rights and freedoms of individuals, this must be mentioned in the SME register.
The companies to whom we entrust personal information are responsible for it. Each actor must keep in mind that there are now penalties for non-compliance with the RGPD. Since the Cambridge Analytica scandal, data protection is no longer an option, but a duty, a legal, moral and social obligation.
Ict.io also becomes RGPD compliant!
The digital magazine, Ict.io guarantees you a complete security of your data, based on the standards imposed by the RGPD. By browsing the magazine’s website, you can accept or reject the collection of your data by cookies. In addition, your subscription to our newsletter through your contact information (name or email address) are stored and protected by the regulations in force. Please note that you can unsubscribe at any time and request that your data be completely deleted from our system by writing to us at the following address: firstname.lastname@example.org.