{"id":1769,"date":"2020-06-04T14:22:00","date_gmt":"2020-06-04T18:22:00","guid":{"rendered":"https:\/\/www.dialoginsight.com\/rgpd-comment-sy-conformer\/"},"modified":"2023-07-03T16:37:36","modified_gmt":"2023-07-03T20:37:36","slug":"gdpr-how-to-comply","status":"publish","type":"post","link":"https:\/\/www.dialoginsight.com\/en\/blog\/data-management\/gdpr-how-to-comply\/","title":{"rendered":"GDPR: How to comply?"},"content":{"rendered":"

Having dealt with Canada\u2019s anti-spam legislation for deveral years, Dialog Insight n\u2019a pas \u00e9t\u00e9 tr\u00e8s surprise d\u2019apprendre, en 2016 que l\u2019Union europ\u00e9enne suivait la vague en votant un projet de loi pour encadrer les communications \u00e9lectroniques de nature promotionnelles. Cette nouvelle loi entr\u00e9e en vigueur en mai 2018 et applies to any organization that processes the personal data of EU residents and citizens.\u00a0<\/p>\n

Officially, this law is called the General Data Protection Regulations, GDPR for Intimates. It aims at increasing the obligations of organizations processing personal data and at strengthening the control that EU citizens have over the collection and use of their personal information. \u00a0<\/p>\n

It is important to distinguish GDPR, which deals only with personal data, and e-mail per se. There is no mention of communication channels in this law. Information about electronic communications can be found in the European Directive on the protection of privacy in the electronic communications sector, which dates back to 2002. These indications are similar to the different notions of consent in Bill C-28 in Quebec, for more information, you can consult the article of the law here<\/a><\/strong>.<\/p>\n

Although we tend to talk about the GDPR as a closed issue, we were surprised to learn that one year after its implementation, two-thirds of companies were still not in compliance with the new law[1]<\/a><\/strong>. It’s huge! So I guess the subject is far from being closed…<\/p>\n

If you are in this situation, the rest of this article tells you the different steps you need to take to make sure you comply with this law.<\/p>\n

\u00a0<\/p>\n

1. Review existing practices<\/strong><\/span><\/h2>\n

The first step on the road to GDPR compliance is to understand how personal data is stored, processed, shared, and used within your enterprise. Identify the existing personal data processing practices, those responsible for them, the current security levels, and the changes required.<\/p>\n

Know that GDPR obligations do not apply only to your enterprise but also extend to your suppliers who process personal data on your behalf.<\/p>\n

\u00a0<\/p>\n

2. Keep a register of processing activities<\/strong><\/span><\/h2>\n

Your enterprise must be able to prove compliance with the GDPR at any point in time. To that end, you must keep a register of data processing activities, which replaces the mandatory declaration to the CNIL<\/a><\/strong>. This register should include all operations performed on personal data related to the following processes: collection, storage, use, sharing, or destruction. You must ensure, at all times, that the processes in place are compliant, secure, and that they guarantee data confidentiality. \u00a0<\/p>\n

As soon as a processing activity that may infringe privacy is detected, you must conduct a privacy impact assessment. These assessments must also be documented.\u00a0<\/p>\n

\u00a0<\/p>\n

3. Keeping a healthy database<\/strong><\/span><\/h2>\n

The implementation of the GDPR is a good time for you to rework your database and keep it healthy over time. It is important for you and your customers that you keep only relevant information. That’s why you should regularly clean your database and make sure you don’t keep inactive contacts or irrelevant information in it.<\/p>\n

Besides, if you have sensitive customer data, a regular review of access within your organization may be a good practice to ensure that only those employees who need it have access.<\/p>\n

It is also a good idea to take all your information-gathering tools and adapt them to the legislation. Ask yourself if the information requested in your different forms is necessary for your organization in your different marketing targeting actions.<\/p>\n

\u00a0<\/p>\n

4. Appoint a data protection officer (DPO)<\/strong><\/span><\/h2>\n

Such an appointment is mandatory only for public sector organizations and companies processing sensitive data and\/or data on a large scale. However, having recourse to one is highly recommended for other enterprises also. \u00a0<\/p>\n

This person must be involved in matters relating to the protection of personal data. The data protection officer\u2019s main duties are to ensure compliance, to advise the controller on its application, and to act as a contact person with supervisory authorities. He or she may also be responsible for notifying the CNIL and the people concerned in case of violation of privacy, within a maximum of 72 hours.\u00a0<\/p>\n

\u00a0<\/p>\n

5. Apply the principles of privacy by design<\/em> and privacy by default<\/em><\/strong><\/span><\/h2>\n

The principle of privacy by design<\/em> aims at building privacy protection upfront when developing a new product, service, or application.<\/p>\n

The principle of privacy by default<\/em> means that once a product, service, or application has been released, the highest possible level of data protection should be guaranteed by the enterprise by default. Also, the amount of personal data collected should be strictly limited to that which is necessary for the optimal use of the product, service, or application. \u00a0<\/p>\n

\u00a0<\/p>\n

6. Provide flexible access to user data<\/strong><\/span><\/h2>\n

The GDPR guarantees your customers new rights to access their data. You must be able to respond to 4 overriding rights of your users:<\/p>\n