What is the european GDPR ?
The GDPR is the General Data Protection Regulation, a European regulation that came into force on 25 May 2018. This law concerns the processing and collection of personal data of all European citizens for all companies, regardless of their nationality.
For its implementation, the site of the Commission National de l'Informatique et des Libertés (CNIL) has produced an article entitled "How to prepare for the RGPD in 6 steps" in order to accompany individuals and companies, but also "RGPD, where to start?". The BPI has also proposed a "guide of good practices for VSEs and SMEs" that should be read.
How will this affect my website or any of my digital services?
The implementation of DPM has immediate consequences on web sites and applications, e-commerce, blogs, intranet or extranet; and more broadly in all your digital services which also includes all your contracts. Thanks to our experience and our collaboration with a specialist law firm, Naes assists its Clients in the actions that need to be taken: this is our role as a consultancy agency. Below is a useful mini-guide for the major steps to be taken. Of course, we are here to help you in this work.
The different steps to follow in order to be in compliance
Let us recall first of all that the GDPR is an obligation of means and not of result. However, it is strongly advised to follow all the following steps in order to comply with the measures set out by the CNIL.
Designate a data controller
In general and as mentioned by the CNIL, this will be the legal representative of the company.
It may also be mandatory to appoint a DPO (Data Protection Officer) and report it to the CNIL. The appointment of a DPO concerns companies that include one of the following criteria:
- Being a public authority or body;
- Have an activity requiring regular and systematic monitoring of people on a large scale;
Process sensitive data such as those relating to racial origin, political, philosophical or religious opinions, health, sex life, etc.; - Have a business activity requiring regular and systematic monitoring of people on a large scale.
The DPO will therefore be the one who ensures the processing and proper maintenance of the data register (see below). The DPO must have both legal and technical background. To find out how to properly designate him, please refer to https://www.cnil.fr/fr/designation-dpo.
Keeping a record of data collection and processing
This register (model available here: https://www.cnil.fr/sites/default/files/atoms/files/registre_rgpd_basique.pdf ) will enable you to identify the type of data you collect (client/prospect files, payroll management, recruitment), the data used for each of them (surnames, first names, age, etc.), who has access to this data (in-house HR, service providers (us for example), hosting providers, etc.) and how long you keep this data. It is the role of the controller and/or the DPO to take care of this.
Sort this data to prove that its attributes are useful to your business.
For example, if you have data on the ages or number of children of your employees, you will need to be able to prove that this data is necessary for the performance of your activities. Please note: if among your processed data, some of them appear in this list available here: https://www.cnil.fr/fr/analyse-dimpact-relative-la-protection-des-donnees-publication-dune-liste-des-traitements-pour you will be under the legal obligation to carry out a DPA - Data Protection Impact Assessment which will have to be transmitted to the CNIL. This analysis can be carried out using open-source software offered by the CNIL (https://www.cnil.fr/fr/analyse-dimpact-la-version-20-de-loutil-pia-est-disponible ) or in the form of a digital document.
Respecting the rights of individuals
On each form on a site or application, it is essential to inform people about the reason for collecting their data and the purpose, what authorises you to do so (contract, legal basis), who has access to it (also third parties), how long the data will be kept, the means made available to individuals to exercise their rights (email address to request the deletion of their data, access to their user profile logged on a platform and being able to modify/delete their data), to let them know if you transmit these data outside the EU and its legal scope.
It is then convenient to refer for each form to your updated privacy policy or to create a dedicated RGPD charter.
Secure your data
Here it is a question of respecting good practices internally, such as the use of sufficiently complicated passwords on platforms allowing access to personal data and the regular renewal of these. It is also essential to keep your software, sites and web applications up to date in order to strongly limit the risks of piracy.
Integrating outsourcing
Subcontractors have obligations in terms of security, confidentiality and documentation of their activity. They must integrate measures relating to personal data as early as the design of their 'privacy by design' tools and software.
The CNIL tells us that "Subcontractors also have an obligation to advise their customers (example: insist on software updates). They must help them in the implementation of certain obligations of the regulation (example: privacy impact study, data breach notification, security, etc.). Finally, processors must keep a register of processing activities carried out on behalf of their clients in addition to their own processing! In order to determine the respective obligations of controllers and their processors, it is necessary to draw up a contract. This contract must include a specific clause on the protection of personal data. Examples of clauses are available on the CNIL website. »
Furthermore, the liability between a provider and a customer is linked. The CNIL can punish a subcontractor working with a non compliant client and a client can be punished for working with a non compliant provider. edit 20/12/2018: Mr.Samadja tells us that the responsibility is mainly on the side of the data controller.
Write an GDPR charter (to be published on its website)
Through this dedicated charter or through the updating of the site's privacy policy it is necessary to recall the purpose of the data processing, the objective with regard to the company's activities, whether the data are transiting with third party service providers and what types, where the data are hosted, give the possibility to the Internet user to request the deletion of the data by indicating the email of the data manager or by creating a specific form for this purpose. It must also be indicated how long the data will be kept...
The steps previously described from 1 to 6 are therefore essential before writing this charter.
Check the general terms and conditions and legal notices of your commercial contracts with your subcontractors
Contracts must be updated by means of an amendment indicating exactly to what extent data are processed and for what purpose in exactly the same spirit as for the RGPD charter.
It should be noted that any level of new subcontracting must be specifically indicated to the client. The CNIL tells us that: "As a sub-contractor, you may only recruit another sub-contractor after having obtained your client's written authorization. This authorization may be, at the parties' choice: 1. specific, i.e. granted for a particular subcontractor or 2. general, you must inform your client of any changes contemplated regarding the addition or replacement of subcontractors, allowing your client to object to these changes. The processor you recruit is subject to the same obligations as those laid down in your contract with your client controller. In particular, he must provide sufficient guarantees that appropriate technical and organisational measures have been implemented to ensure that the processing complies with the European Regulation. If the processor you recruit does not comply with its obligations, you are fully responsible vis-à-vis the controller for the performance by the processor of its obligations.
Update your websites
The website will have to include a cookie banner adapted to the new RGPD standard and a panel allowing the user to customize the tracking of his data on the site that would be collected via certain cookies.
In addition, as mentioned in point 4, the user must be able to know his rights and tick an explicit box on each form collecting his data (name, first name, email etc...). For more simplicity, you can redirect the person to your updated RGPD charter or privacy policy.
If the site has a connection with a user account, this account must provide him access to modify all his profile data and allow him to delete it permanently as well as his related data.