While most companies have understood the challenge of the General Data Protection Regulation (GDPR) that will come into effect on 25 May 2018, the implementation of its provisions remains difficult to grasp. With just two months to go before the regulation enters into force, it is imperative for companies to make their staff aware of the objectives of the regulation and, especially, how to put them into practice.
1.Risk mapping
To implement its compliance plan, the company must start by identifying the processing of personal data, and all computer and manual flows, to determine where each data process comes from, by whom is it carried out, and finally, its purpose. This data mapping will ultimately define the challenges and risks specific to the company. In this context, the CNIL (French data protection authority) offers examples of record sheets to guide work teams on the actions to be taken.
- A roadmap sent to its work team
Once the mapping is established, the team must prioritize its actions by drafting a roadmap including:
– a method ensuring management of the risks previously identified by the work team,
– raising awareness of the operational staff within the company,
– establishment of a new governance,
– creation of a procedure for data processing management, to ensure the company’s continuous conformity.
- Informing the individual when collecting personal data from external sources
Although it is possible to process data collected from external sources such as public databases, social networks, lists of prospects, the provisions of the Regulation must be respected. However, under Article 47 of the GDPR, the company will have to assert a legitimate interest in the collection of such data. This legitimate interest can be asserted when:
- the data processing takes place in the context of a customer relationship,
- the processing is carried out for marketing purposes,
- the processing prevents fraud or ensures the security of the computer systems network.
- The choice of the individual in relation to the collection of his personal data
In order to be able to process the personal data, the company must allow the individual to provide his express consent as stipulated under Article 7 of the GDPR. In practice, the pre-checked boxes will be excluded in favour of a provision exclusively devoted to the individual’s consent for each piece of personal data collected. This makes it possible to limit the over-collection of data; for example, collecting the individual’s exact date of birth will no longer be allowed if the year of birth is sufficient to satisfy the purpose of the processing, just as the individual’s exact place of residence if the country is sufficient. Faced with these requirements, the company will have to adapt and store only the data strictly necessary. Moreover, if the individual wishes to modify or even delete his personal data, this operation must be easy to perform, which means making the system for collecting personal data flexible.
- Ensuring compliance by subcontractors
Although the regulation is aimed at the direct holders of personal data, said regulation also applies to subcontractors and sales persons when they have access to such data. Indeed, the latter are required to certify their compliance with the GDPR. To do this, it is recommended that, if companies subcontract the data collected, they include standard data protection clauses attesting to their compliance with the GDPR.
- What are the working tools of employees covered by the GDPR?
By definition, the GDPR applies when
- the processing is carried out by “automated means”,
- the data “is part of a filing system or is intended to form part of a filing system” although the processing is not carried out by automated means in the strict sense of the word.
With regard to the first case, the work teams only convert documents into digital format. The situations referred to in the second case are those of systems for classifying “any structured set of personal data that is accessible according to specific criteria”. In practice, all unorganised paper documents, such as loose documents on a printer or documents on a desk, are not subject to the GDPR. On the other hand, whenever these paper documents are organised by staff so as to be accessible according to defined criteria, the GDPR will apply. For example, files submitted in a file indexed by name, expense reports sorted by function and sorted internally, or files from the department of human resources, will be subject to the GDPR. In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.
In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.