Reminder: The new European regulation on personal data protection (GDPR) will enter into force on 25 May. There are therefore only four months left to comply with the personal data requirements.
The GDPR reduces the administrative burden in relation to the Commission nationale de l’informatique et des libertés (French regulatory body for data privacy) in return for placing the responsibility on professionals through a reduction in the use of personal data and planning for these topics when processing is designed. The GDPR imposes new rules on data controllers and their data processors when the data being processed concern European residents, in particular requiring:
- a register to be maintained containing all processing actions;
- internal policies to be put in place related to protection and data processing documentation;
- notification of data violations to be provided within 72 hours;
- a data privacy officer (DPO) to be appointed in certain companies (in particular companies whose main activity is large-scale data processing);
- privacy impact studies to be carried out for some types of “at risk” processing.
Data controllers must adapt all their contracts with data processors (including their web host) to ensure that they satisfy the technical and organisational guarantees required by the GDPR. Processors have a duty to cooperate with, assist and advise the data controller in the application of the GDPR.
The GDPR also creates new rights and strengthens existing rights for the people involved:
- the right to data portability, which requires there to be a request processing procedure in place and for data formats to be developed so they can be read by other competitor companies;
- the requirement for increased consent, in particular to protect minors.
Although sanctions are graduated, they can reach EUR 20,000,000 or 4% of the company’s total global annual turnover, with the higher number being applied. It should be noted that in the event of shared misconduct between the data controller and the processor, liability will be joint and several.
Our recommendation: Here are the main steps to take now to make sure you comply with the GDPR:
- Perform an internal audit to identify what data are collected, existing processing, on what basis data are processed and so on.
- Revise or put in place a data confidentiality policy and a digital tool usage charter.
- Document what measures are in place to comply with the GDPR such as IT security and internal procedures.
- Train teams and put in place crisis management procedures.
- Adapt any contracts with data processors to strengthen their obligations in this regard.
Contact: Mathilde Croze