Having dealt with Canada’s anti-spam legislation, we now need to focus on Europe’s General Data Protection Regulation (GDPR). This new regulatory framework of the European Union (EU) will come into effect as of May 25, 2018. It aims at increasing obligations of organizations processing personal data and at strengthening the control that EU citizens have over the collection and use of their personal information. The GDPR applies to any organization that processes the personal data of EU residents and citizens. If it applies to you, here are the steps to follow to ensure compliance.
The first step on the road to GDPR compliance is to understand how personal data is stored, processed, shared and used within the enterprise. Identify the existing personal data processing practices, those responsible for them, the current security levels and the changes required. Remember that GDPR obligations do not apply only to your enterprise but also extend to suppliers who process personal data on your behalf.
The enterprise must be able to prove compliance with the GDPR at any point in time. To that end, you must keep a register of data processing activities. This replaces the mandatory declaration to the CNIL. The register should include all operations performed on personal data related to the following processes: collection, storage, use, sharing or destruction. The enterprise must ensure, at all times, that the processes in place are compliant, secure and that they guarantee data confidentiality.
As soon as a processing activity that may infringe privacy is detected, the enterprise must conduct a privacy impact assessment. These assessments must be documented.
Such appointment is mandatory only for public sector organizations and companies processing sensitive data and/or data on a large scale. However, having recourse to one is highly recommended. This person must be involved in matters relating to the protection of personal data. The data protection officer’s main duties are to ensure compliance with the GDPR, to advise the controller on its application and to act as contact person with supervisory authorities.
The data protection officer may also be responsible for notifying the CNIL and the people concerned in case of violation of privacy, within a maximum of 72 hours.
The principle of “privacy by design” aims at building privacy protection upfront when developing a new product, service or application.
The principle of “privacy by default” means that once a product, service or application has been released, the highest possible level of data protection should be guaranteed by the enterprise by default. In addition, the amount of personal data collected should be strictly limited to that which is necessary for the optimal use of the product, service or application.
Users must systematically be able to indicate consent or refusal for the processing of their personal data. They must also be informed in a clear and understandable way about the use that will be made of their data. The enterprise should be able to prove, at any point in time, the consent of a person. The following should therefore clearly be explained in the information notes: what data are collected, the purpose of the processing, the data retention period and the consequences of the refusal to provide personal data.
The right to portability and the right to be forgotten give users the possibility to dispose of their data as they wish, either by requesting its retrieval in order to transmit it to a third-party enterprise or by asking for its destruction.
Any employee who is likely to handle data must be aware of best practices to ensure its protection and confidentiality. Make sure to train all concerned within the enterprise.
Download our compliance checklist now.
For further information, please refer to the full text on the General Data Protection Regulation (GDPR).
