Learn more about the GDPR
After three years of "prevention policy" the CNIL has decided to sanction. The CNIL, The data gendarme, now intends to use its full panoply of sanctions against GAFAMs, but also on medium and small companies, as shown by the 138 million in fines imposed in 2020.
Came into force on May 25, 2018, the General Data Protection Regulation, comes to replace Directive 95/46/EC and strengthen the obligations of companies on the personal data they process.
What is personal data?
Personal data is defined as any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
There are particular types of data, known as "sensitive" data, which require increased vigilance on the part of the data controller and are subject to special legal protection. These data are the following: racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
What is imposed by the GDPR?
The GDPR sets out 6 main principles that companies wishing to process personal data must adhere to:
- Process data in a legal, fair and transparent manner
- Collect data for specific, explicit and legitimate purposes (purpose limitation)
- Ensure the adequacy, relevance, necessary for the purpose (data minimization)
- Guarantee the accuracy of the data
- Impose non-excessive retention (time limitation)
- Implement measures to ensure data integrity and confidentiality
How to make sure that the GDPR is respected?
In order to guarantee compliance with the regulation, the company must put in place certain internal procedures:
- Appointing a DPO
To help with this implementation, the regulation has created a new role within organizations: the Data Protection Officer (DPO). This person will be the pilot of the implementation and the respect of the GDPR. In order to help him in his task, it is necessary to guarantee his independence and to provide him with the means to carry out his mission, in particular with the appropriate digital tools. The ORYGA tool developed by Clardian allows, for example, to monitor and automate all the tasks necessary for the proper implementation of the GDPR
- Map the processing of personal data and the data life cycle:
Any company with more than 250 employees, or processing a large amount of data, is required to set up a processing register. This register lists all activities requiring the collection and processing of personal data. (photo of an Oryga ? processing register)
- Documenting compliance
The GDPR requires to ensure the security of the processed data. Inspired by the ISO 27001 standard, the CNIL strongly recommends the implementation of a quality system and technical means (antivirus, access management...) respecting the rules of the art. All these procedures and technical means must be documented.
The data controller must ensure that its service providers comply with the GDPR and impose adequate security standards.
- Conducting impact assessments on processing operations
Each processing operation must be subject to an analysis of compliance with the GDPR. In the event that one of these processing operations requires particular vigilance, it is necessary to carry out an impact analysis. This is the case when the processing presents a high risk for the privacy of the persons concerned by the processing. This is particularly the case when the processing involves a large number of people, or when it contains sensitive data, such as health data.
The ORYGA software enables impact analyses to be carried out using a predefined form, based on risk management following the EBIOS method
- Ensuring the rights of people whose data the company processes
The GDPR has come to protect and create rights for people whose personal data is collected and processed:
- Right to be informed (art. 13 and art. 14 of the RGPD + obligations provided by art. 12)
- Right of access (art. 15)
- Right of rectification (art. 16)
- Right to erasure ("right to be forgotten" - art. 17)
- Right to limitation of processing (art. 18)
- Right to portability (art. 20)
- Right to object (art. 21)
- Right not to be subject to a decision based exclusively on automated processing, producing legal effects (art. 22) including profiling
It should be noted that these rights also extend to the company's employees.
- Notify and document security breaches
In case of a security breach, the GDPR requires a double notification within 72 hours to the CNIL, as well as to the data subject.
This notification obligation is also imposed on the subcontractor who must inform the data controller as soon as possible in case of a breach.
It is necessary to document all the information collected on the origin of the problem and the measures implemented, in order to provide them to the supervisory authority, the data subject and/or the data controller as soon as possible.
The European regulation has greatly strengthened the sanctions available to the CNIL and its European counterparts.
In addition to the reputational sanction, the control authorities can impose various administrative fines ranging from a warning, the cessation of processing, up to fines of 10 or 20.000.000 € or 2% up to 4% of the annual worldwide turnover.
Clardian has developed the ORYGA tool, intended for companies and DPOs, to simplify the implementation and monitoring of GDPR compliance in the organization. A real toolkit, it covers the processing register, impact analyses based on the EBIOS method, the documentation of security breaches, the monitoring of the rights of data subjects as well as a Business Intelligence tool to follow the implementation of the regulation in your organization.