GDPR: Key points to keep in mind to ensure compliance
Everyone is talking about it!
“GDPR”, “RGPD” or more officially “General Data Protection Regulation” is one of the hot topics and major concerns for all French and European companies today.
This European regulation, which will enter into force on May 25th, 2018, is directly applicable in all EU Member States (i.e. no implementation law is required, contrary to European directives). It aims to harmonize data protection regulations at the European level, in particular in strengthening the rights of individuals, and making operators involved in personal data processing more accountable.
If your business activities involve personal data processing (and it is almost always the case), it’s time to check your compliance level with the existing regulations, and above all to anticipate your new obligations under the GDPR.
Here are some tips to prepare for the arrival of this new regulation:
# 1 – Designate a “team leader”
The GDPR requires for certain companies to formally designate a “Data Protection Officer” (or “DPO”). It is particularly the case for those companies which core business is to process sensitive data (e.g. health data), or where these activities require regular and systematic monitoring of individuals (such as data-based marketing, profiling and scoring in relation with credit risk assessment, or geolocation via mobile applications).
- Accordingly, you should assess the need to designate a DPO in light of your activities.
- Besides, and even in the absence of any legal obligation in this respect, it is strongly recommended to designate a person who is aware of data protection issues, who will take the initiative to launch the necessary actions to ensure compliance, who will be able to, within the company, have a global view of processing activities, centralize requests from operational staff and disseminate a data protection culture to teams via training or other awareness-raising activities. In this situation, be careful not to use the “DPO” term for this person’s job title as this would entail application of all the rules corresponding to this role (g. rules on conflicts of interest, means to be made available, independence and cases of dismissal, etc.).
# 2 – Mapping the personal data processing operations carried out within your company
Whether you are specialized in data or whether the processing of personal data is merely incidental to your activities, you need to be able to know what is going on in your company.
This step is necessary in order to bring you into compliance with the applicable regulations:
- For each of the identified processing operations, you will need to ask yourself the following questions in order to assess compliance: Who are the data subjects? What types of data are processed? For what purpose(s)? Who can access the data? How long is it retained? Do you transfer data outside of the EU (for example: where are your hosting servers and with which foreign partners do you share data)? (see our article Are you complying with the regulations on personal data processing?)
- On the basis of the mapping you have established, you will be able to create your record of processing activities. As the declaration system with the French Data Protection Authority (the CNIL) will disappear, you will now be responsible to document the data processing operations carried out and their characteristics, and keep this documentation up to date and at the disposal of the CNIL.
For more information, do not hesitate to consult the dedicated CNIL website.
# 3 – Identify and monitor your data processors
As a reminder, the data protection regulation framework provides for two main types of operators: (i) the data controllers, i.e. the entities that determine the purposes and means of processing operations (e.g. as an employer, you determine the purposes of your employees’ data processing, such as payroll) and (ii) the data processors, who process the data on behalf of the data controller, and upon its instructions (e.g. payroll management service provider, which processes the data only on behalf of the employer).
Do you use a large number of service providers who process personal data on your behalf (e.g. data hosting service providers, SaaS software providers, advertising service providers, etc.)? Even if they are in charge of the practical implementation of the processing operations, you are still liable for the processing operations they carry out for you. The GDPR now requires you to document in detail the obligations of your data processors in the contracts executed with them.
- Gather the contracts executed with your data processors and verify the provisions relating to data processing. If necessary, you should amend them on the basis of the standard clause provided by the CNIL, which covers all the GDPR requirements.
- For your most important data processors, plan regular monitoring in order to ensure that their contractual obligations are satisfied.
# 4 – Update your data collection forms and information notices
In addition to the information that is already required under the existing regulations, the GDPR provides for increased information duties towards your data subjects when collecting their personal data.
In particular, you must indicate the legal basis for each of the processing operations carried out.
- in relation with the processing of social security numbers for the purpose of employees’ payroll, you must indicate that this processing is necessary for compliance with a legal requirement;
- if you wish to segment your prospects/customers on the basis of their consumption or browsing habits, you have to specify that such processing is required for the purposes of your legitimate interests, which consist in having a better knowledge of your customers in order to offer better adapted products or services.
- It is not necessary to re-inform your existing customers of the new information required under the GDPR; however, do not forget to update your information notices (confidentiality policy, information notice on subscription forms, etc.) for new customers.
# 5 – Implement the tools necessary for compliance
The GDPR enshrines an accountability principle. In summary: it is up to you to demonstrate that you have implemented the procedures necessary to comply with applicable data protection regulations.
In order to ensure continued compliance, you need to adopt reflexes and implement certain procedures, such as, for instance:
- Before launching any new project involving personal data processing, anticipate the potential issues and risks of said processing for data subjects, and if necessary, carry out a privacy impact assessment.
The CNIL has developed software to assist you in conducting privacy impact assessments that you can find here.
- Take into account data protection issues (privacy by design) as early as from the conception of your projects.
For example, when creating a device, make sure that the default settings are the most protective on privacy (privacy by default).
- Create and document internal rules and procedures: retention periods, archiving rules, data breach notifications, etc.
- Anticipate IT developments and the steps to be taken in order to respond to requests from data subjects to exercise their rights.
New rights created by the GDPR sometimes require new tools to be implemented, in particular IT developments. For example, the right to portability, which allows data subjects to request the transmission of all data which concerns them in an easily re-usable format; or the right to request restriction of the processing, which requires you to isolate data in order to forbid its processing for a certain period of time.
Note to data processors: if you process personal data mainly as a processor, you may also be required to comply with specific obligations, such as maintaining a record of processing or, where applicable, designating a DPO. Within the framework of your relations with your clients, you will be subject to specific obligations as well, in particular of advice and support. For example, having to assist your clients in carrying out privacy impact assessments, in processing employees’ or customers’ requests in relation to their personal data, or having to alert them if the instructions they give you are contrary to the regulations.
Conclusion: complying with the GDPR implies carrying out an internal audit in order to assert your current situation and the required actions. It represents a certain burden – in terms of resources and time – but is a necessary investment, both legally and commercially.
Don’t wait until May 24th, 2018 to think about these issues, and get to work ASAP!