Prepare your GDPR
The GDPR (General Data Protection Regulation) or in french RGPD (Règlement Général sur la Protection des Données ) is a new European regulation, which will be applicable on May 25, 2018.
The European Data Protection Reform has three objectives:
- Strengthen the rights of individuals, including the creation of a right to the portability of personal data and provisions specific to minors;
- Empower the actors dealing with the data (controllers and subcontractors);
- Increase regulatory awareness through enhanced cooperation between data protection authorities, which may in particular adopt joint decisions when data processing is transnational and sanctions strengthened.
The adopted text is a European regulation, which means that, unlike a directive, it is directly applicable throughout the Union without the need for transposition in the different Member States.
Many formalities with the French CNIL will disappear. In return, the responsibility of the organizations and enterprises will be strengthened. They will have to ensure optimal data protection at all times and be able to demonstrate it by documenting their compliance.
To go from the preliminary formalities to a logic of responsibility
While the obligations of organizations and companies under the Data Protection Act are largely based on prior formalities (declaration, authorization), the European Data Protection Regulation is based on a logic of accountability and transparency.
This notion of accountability is reflected in particular by:
- the taking into account of data protection from the design of a service or product and by default;
- the establishment of an organization, measures and internal tools guaranteeing optimal protection for the people whose data are processed.
In practice, organizations and businesses will:
- carry out an inventory of the processing of personal data implemented;
- evaluate their practices and set up procedures (notification of data breaches, management of complaints and complaints, etc.);
- identify the risks associated with the treatment operations and take the necessary measures to prevent them;
- maintain documentation ensuring the traceability of measurements.
New compliance tools
From an operational point of view, compliance with the European regulation is based on different tools:
- the processing register and the internal documentation;
- privacy impact studies (PIAs) for risk treatments;
- the notification of personal data breaches. The implementation of these tools implies, beforehand, the designation of the Data Protection Officer (DPO), the true “conductor” of data protection within the organization. Beyond this, the logic of accountability must translate into a change in internal culture and mobilize internal or external skills (IT, service providers, legal services, business services).
Datexis GDPR Action Plan
The company Datexis offers to assist you in setting up an action plan, in 6 steps:
1 – DESIGNATE A PILOT
To manage the governance of your structure’s personal data, you will need a true conductor who will carry out an information, advisory and internal control mission: the data protection officer. Until 2018, if it is not already the case, you can already designate a “CNIL’s correspondent”, who will give you a lead in advance and allow you to organize the actions to take.
2 – MAPPING YOUR PERSONAL DATA PROCESSING
To concretely measure the impact of the European data protection regulation that you are dealing with, start with a precise inventory of your personal data processing. The development of a register of treatments allows you to take stock.
3 – PRIORITIZE THE ACTIONS TO BE TAKEN
Based on your register, identify the actions to take to comply with current and future obligations. Prioritize these actions with regard to the risks your treatment poses to the rights and freedoms of the people concerned.
4 – MANAGE RISKS
If you have identified the processing of personal data that may give rise to high risks for the rights and freedoms of the data subjects, you will need to conduct a data protection impact assessment (PIA) for each of these treatments.
5 – ORGANIZE INTERNAL PROCESSES
To ensure a high level of personal data protection at all times, put in place internal procedures that guarantee
To prove your compliance with the rules, you must create and consolidate the necessary documentation. Actions and documents completed at each stage must be reviewed and updated regularly to ensure continuous data protection.