May 2018, risk and personal data management: it is necessary to get prepared

imageThe protection of personal data is a growing concern for consumers whose data are being collected. The new General Data Protection Regulation (GDPR, Regulation 2016/679 of 27 April 2016) will be implemented on 25 May 2018. Its new provisions introduce new obligations with heavy penalties of up to several million euros. The G29 clarified some of these obligations. Particularly, it is now mandatory to document the steps taken to comply, to keep a register or to designate a Data Protection Officer in some cases.

In order to comply, it is advised to put in place an audit which establishes a precise mapping of all data processing within the company.

Everyone is concerned, be it big accounts or start-ups. Your company is concerned: through its website, its social networks, its loyalty programs, through databases of clients and prospects or through the management of marketing campaigns. The regulation is intended to be applicable to the processing of any personal data of everyone located in the territory of the European Union.

A 3-step action plan seems to be the most appropriate:

  • 1st step: mapping the processing of personal data

This is all about identifying the processing of the data collected within the company: the categories of processed personal data, the objectives pursued by the data processing operations, the actors processing this data, and finally the in and out-flows while specifying their origin and destination.

  • 2nd step: conduct a compliance audit

Thanks to the first step, a summary and personalized recommendations can be established. Based on this information, you will have a global view of the steps to be taken in order to ensure that your business meets the requirements of the regulation.

  • 3rd step: accountability – Compliance

Finally, an action plan should be drawn up based on the results of the mapping and the audit. An industrial property Attorney will help you to overcome any shortcomings in your current protection: the holding of a register, the designation of a Data Protection Representative, the right to portability of data etc.

This action plan may also be accompanied by a security audit.

Given the importance of these changes, we recommend that compliance should be initiated as soon as possible. Now endowed with a department dedicated to the problems of personal data and a department with technical skills, Dreyfus & associés is the ideal partner to accompany you in this transition process.