This article is the first of a serie of 3 centered around the GDPR.
If you are curious about :
The GDPR provides for a reinforcement of the rights of individuals, imposes on data controllers and processors a certain number of obligations, and provides for sanctions for their non-compliance.
Being a European Regulation, this text is directly applicable throughout the European Union, which implies a necessary compliance with the provisions of this Regulation. Actors outside of the EU are also expected to comply, as soon as they process personal data related to european residents.
This compliance operation is a complex and delicate task that companies must implement. It is an active process that affects several spheres within an organization. It should not be seen as a simple constraint, but as an opportunity for companies to distinguish themselves from others by highlighting their ability to respect users' rights.
To achieve this compliance, several steps are necessary. Which ones are they?
Establishing a data processing register
What is a data processing register? It is a document listing all the personal data processing operations in order to have an overview of the data processing.
To do this, it is necessary to start by identifying all the activities and then all the data processing within the company.
Each activity must be detailed in a file, which must describe the objective pursued, the categories of data used, who has access to the data as well as the retention periods.
The head of the company is responsible for the register, which must be complete and up-to-date. This implies a very good communication between the different parts of the company.
The CNIL offers a data processing register on its website, which can help in the creation of this document.
Sorting out the processed data
Having an overview of the processed data is essential, it helps ensuring there is no illegitimate processing.
The GDPR consecrates a principle of data minimization.
This implies that the data processed is necessary for the activities, that no sensitive data is processed without specific measures, that only authorized persons have access to this data and that the storage period does not exceed what is necessary.
In the event that a processing operation is not necessary, appropriate measures should be taken to remedy the situation.
Respecting the rights of individuals
The GDPR provides for users' rights, which must be respected. This implies in particular clear and precise information addressed to the user concerning the processed data.
Moreover, means must be provided to allow people to exercise their rights.
Securing the data
The data controller is bound by an obligation of means. In the event of a data breach, whether accidental or criminal, he can be held responsible if all IT or physical measures have not been taken to limit the risks.
Furthermore, in the case of a data breach, the CNIL must be informed within 72 hours if the breach is likely to represent a risk to the rights and freedoms of the persons concerned. If the risk is high, the persons concerned must also be informed.
Being compliant to the GDPR is essential for companies and must be taken seriously. In order to do so, each actor of a company is concerned by compliance. From Data Protection Officiers, to developers and human resources professional, they are all concerned. As such, they must take action to ensure the GDPR is respected.
In order to help you to share the compliance related knowledge, we are working on a serie of article explaining, in the clearest possible manner, the steps that one should follow to implement a good compliance plan. You take a look at that by clicking on this link.here.