The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is the new European Union regulation on the protection of personal data (digital or not), i.e. information related to an identified or identifiable natural person. In most cases, pseudonymized data are also concerned because the person might be identified. This regulation introduces a shared set of rights for natural persons and duties for companies regarding the processing of personal data. All global companies collecting data from European Union citizens, both customers and employees, have to comply with this regulation. That is why, as private or public organizations you are all concerned by this reform. The purpose of this article is to focus on the elements you have to set up to comply with the new European regulation.
What are the main principles introduced by the GDPR?
First, the GDPR requires you to fill in a record with all your data processing activities unless your company has fewer than 250 employees. This means you have to provide information in a table with the categories of data you use (what), their objectives (why), the stakeholders who use them or are responsible for them (who), the storage period (when) and the safety methods (how). This record must be kept updated in the event of inspection. This record is also a good opportunity to sort through the data collected in order to remove data which are irrelevant.
You can rely on this record to fulfill a second obligation – to obtain the explicit consent from people whose data are used by you. Before collecting data from someone, they must give a clear consent. That is why, you have to inform them of the five previous points mentioned in the record, as well as the information of the legal elements that allow you to use their data, the reminder of their rights and the contact details of the person to contact to enforce their rights. The new rights introduced by the GDPR for natural persons are right of access by the data subject, right to rectification, right to object, right to be forgotten, right to restrict processing, and right to data portability. You are obliged to keep declarations of consent of people concerned, and you have to process their requests concerning the exercise of their rights within maximum one month.
The right to data portability, mentioned above, also involves specific provisions in your company. It means that anyone shall have the right to receive the data collected about them in a digital format. The aim is to be able to send them from one controller to another. Thus, you must make sure that data you are processing are retrievable in an “open and machine-readable” format according to the words used by the CNIL (National Information science and Liberties Commission).
You also have to secure data according to the methods described in the record. If a personal data breach occurs, you have 72 hours to report it to the CNIL. The enforcement of the GDPR is a good opportunity to assess cyber-security devices, as well as to take out insurance covering cyber-risks.
In addition, the GDPR introduces the notion of sensitive data. This includes racial or ethnic, religious, political, philosophical, genetic, biometric, sexual orientation, state of health or trade union membership data. This regulation also introduces the data processing methods considered sensitive. There are profiling or scoring, automatic decisions, systematic monitoring, sensitive data collection, large-scale personal data collection, data collection from vulnerable persons (underage, elderly persons, etc.), cross-referring data, use of personal data by new technologies and arbitration related to a benefit or right of use on the basis of personal data. If your company combines at least two of these practices, you are obliged to carry out a Privacy Impact Assessment. This assessment must be carried out before setting up these procedures and consists in identifying risks, measuring their portability and severity index, and the methods to deal with these risks. Once completed, you have to send it to the CNIL. By the way, only this mandatory declarative formality remains. This reform therefore allows to reduce the administrative burden.
Finally, you have to comply with several rules if the processing of data involves other stakeholders. In the context of outsourcing the collection and processing of personal data, you are responsible for the processing. As a result, you have to require a record from the subcontractor, fill it in with information such as the purpose of the processing and ensure that the data security measures taken by the subcontractor are sufficient. If the outsourcing of data collection and processing involves transfer of personal data to an organization established in a third country, you have to check that these guarantees in terms of data protection are sufficient. The European Commission publishes a list of countries deemed suitable. Then, you have to carry out some declarative formalities to the CNIL while documenting guarantees that you ask your subcontractor for.
What is a DPO?
The Data Protection Officer (DPO) is a new function introduced by the GDPR. As soon as you process sensitive data, large-scale data or are a public authority, you are obliged to appoint a DPO. The DPO must coordinate the implementation of processes in compliance with the GDPR, update them, inform other employees about the obligations of the GDPR and allow the exercise of the rights of people whose data you are collecting. The DPO is a staff member or not but, in both cases, you must ensure they have professional qualities, i.e. technical and legal skills. Considering the supervisory role, you must ensure that they have sufficient autonomy and independence. For example, they could not be dismissed for advice they would have given in the context of their duties. This position is incompatible with the position of responsible for determining the purposes of the personal data processing and a fortiori with the position of director or head of department.
Finally, even if you are not obliged to appoint a DPO, it is preferable to appoint a GDPR manager. This manager ensures that your company complies with the regulations, is able to inform your employees and is responsible for exercising the rights of people whose data you are collecting.
What are the penalties applicable?
In France, the CNIL is in charge of enforcing the regulations and has a coercion power. Indeed, the companies that do not comply with the GDPR are exposed to large administrative fines. The fines may range to €20 million, or up to 4 percent of the annual turnover, whichever is higher.
Moreover, national legislator lays down the criminal penalties. For instance, the personal data breach is punishable by 5 years’ incarceration and a fine of €300,000. In addition, victims can request damages for their prejudice in front of a civil court. Last, you must keep in mind the reputational damage for your company that could result in non-compliance with the GDPR.
To conclude, considering the issues, it is really important that you comply with the GDPR as soon as possible. This article is a summary of the measures to be implemented. It is preferable to consult an expert to approve the new processes. However, be careful, the CNIL has warned against the growth of GDPR pseudo-experts. By the way, you can consult the CNIL and Bpifrance (the French Public Investment Bank) websites to improve your information on this issue. These websites are full of many additional resources such as blank record or consent request matrices. Finally, do not forget to train your employees to ensure better compliance with the GDPR within your organization.