GDPR in 3 steps
Le General Data Protection Regulation (RGDP) (in English General Data Protection Regulation) in place since May 25, 2018 at European level is there to guarantee the proper use of data collected by companies.
This new regulation governs the processing of personal data in the territory of the European Union. It is a continuation of the French Data Protection Act of 1978 and strengthens citizens' control of the use that can be made of the data concerning them.
It also harmonizes the rules in Europe by offering a single legal framework to professionals and allows them to develop their digital activities within the EU based on user trust. This new regulation in place since May 25, 2018 aims to strengthen the rights of individuals, and the accountability of actors processing data.
This regulation is primarily intended to strengthen the rights of people on consent and transparency in the collection of personal data. This implies in particular informing the user of the use that will be made of his data. In practice, this may result in larger banners on the websites or detail this information in the “Data Protection Policy” pages. Added to this is a new right, that of portability which allows a person to recover the data that he would have transmitted to an organization to "port" his data to another organization.
1. Document GDPR compliance
One of the first things to do is data audit which are collected by the company in order to have a personal data mapping. This data will be archived, qualified and tracked in a register. The processing register is presented in the form of a table where each of the processing operations is qualified. Then, on the so-called sensitive data, it is necessary to carry out the implementation of the PIA or impact analysis relating to data protection which consists of measuring the level of data protection within the company and identifying the actions to be taken to better protect them.
2. Clearly inform people of their rights
The information to users must be done by modifying the pages of "Data Protection Policy". The various cookies used must be detailed therein in terms of name, role, retention period, etc.
Le collection of consent for the collection of data must be particularly followed by the organizations because it is it which allows the use of the personal data collected.
In order for the user to be able to exercise these rights, a new function must now be set up within companies (or delegated to a specialized company), that of DPO (data protection officer or data protection officer). Its role is to ensure proper compliance with the legislation and it will have to answer for it during inspections.
3. Update contractual and legal aspects with third-party organizations
The GDPR requires in particular to specify the roles of each of the organizations collecting the data. Indeed, this new regulation highlights the notions of controller (the company) and processing subcontractor (all persons authorized by the company to process the data). The whole of this chain will have to comply with the regulations at the risk of not being able to enter into contracts with other third parties.
Source: CNIL
