What you need to know about the RGPD

The DMPP or The European General Regulation on the Protection of Personal Data is currently in force as it comes into force on 25 May 2018. All member countries of the European Union are concerned by this text. Companies are obliged to comply with this Regulation before it is applied. Some are apprehensive about it, whereas these provisions bring benefits. What is meant by RGPD ? What are its objectives and main measures? How to comply with this regulation?

What's the RGPD?

This text, adopted on 27 April 2016, protects the personal data, and thus the privacy of European Internet users. It enables them to control their private information. It has an impact on EU professionals collecting personal data. In France, it is the CNIL that will ensure the proper implementation of the RGPDThis is done, inter alia, through checks on companies.  

Who's involved?

All organisations, in the broadest sense, are concerned by the RGPD, as long as they process personal data: from the public limited company to the micro-entrepreneur, the one-man limited liability company, the public body or even the association.  

Personal data, what is it?

Data are said to be personal when they allow the direct or indirect identification of an individual. Personal data are therefore the following information: surname, first name, address, email, telephone number, IP address of the computer, profiling data...  

The three objectives of the DPGR

The RGPD has a triple purpose:

• Strengthening the rights of all citizens over their personal data ;
• Intensify the control of private information and the structures collecting it, as well as the implementation of sanctions in the European Union ;
• Making companies collecting personal data responsible.

 

The five key measures of the DPGR

The European Regulation includes five main measures:  

Securing the processing of personal data

  Companies must guarantee and be able to prove that data processing is secure and compliant with the RGPD at any given moment. Traceability of data processing must be feasible in order to assess companies' good practices regarding the use of personal information. The mandatory declaration of data processing files to the CNIL will no longer exist in the future: this makes data processors responsible, who now have an obligation to comply.  

Making the processing of personal information transparent

  The collection and processing of data must be transparent: the data subject must be able to give his or her consent, be aware of the objectives pursued and the length of time the data will be kept. The structure must keep this information in order to keep proof of it in case of control by the CNIL. And, of course, any person can request the rectification, portability or deletion of his or her data at any time, with clear information on the procedure for making such a request.  

Inform the CNIL of any flaws that endanger the respect of privacy

  A company finding a flaw in its information system (an external hacking, for example), which is likely to infringe on the privacy of the people whose data has been collected, must inform the CNIL within 2 days of the discovery of the flaw.  

Extending obligations to subcontractors

  Subcontractors working for organisations carrying out data processing must comply with the RGPD. Consequently, companies are obliged to select a service provider that complies with the provisions of the Regulation.   To give a simple example, an entrepreneur who collects personal data on his website via a contact form, must ensure that the host of his website, through which this data transits, is itself in compliance with the DPMR.  

Conferring new rights on citizens

The Regulation provides rights related to the use and processing of personal data:

• Thanks to the right to oblivionIf a person requests the permanent deletion of his personal data, he can ask for it to be deleted;
• Via the right to data portabilityIn addition, individuals have the possibility to request personal data that they have provided to an organisation, which will be transmitted to it in an intelligible and easily reusable format;
• According to the law on the protection of data of minors, minors under 16 years of age (15 years of age in France) cannot themselves give their consent to the collection of personal data concerning them. The consent of their legal representative is required.

 

The five steps to bring a company into compliance with the DP Regs

For the CNIL, these phases allow companies to comply with the Regulation in May 2018, or at least to be on track to compliance :

• The RGPD invites you to choose a Data Protection Officer (DPO). This appointment is mandatory for public bodies, bodies working with data on a large scale and bodies collecting sensitive health and legal data in particular.

The DPO ensures compliance with the DPMR and monitors the work done on data protection. As the DPO must be independent, he or she cannot be the chief executive. Therefore, in small structures, it is not mandatory, and can also be outsourced (several small structures can share a DPO in order to reduce costs);  

• Identify the various personal data processing operations carried out in the company, as well as their purposes (this makes it possible to delete data for which the purpose has been achieved, or to limit certain collections to data strictly necessary for the fulfilment of the purpose). These processing operations must be recorded in a specific register;

 

• Carry out an analysis of the impact on the privacy of the persons concerned by the processing operations carried out by the company. The CNIL has developed a open source software allowing the impact study to be carried out according to its method.

 

• Securing personal data internally (secure servers, encryption of certain data, passwords to access equipment that allows data to be consulted such as PC, telephone..., tracing connections...).

 

• The CNIL recommends keeping proof of compliance to prove the company's good faith.

  This very well done graphic gives general information on the RGPD, as well as many useful links: see the video. Overall, most of the answers to the questions asked by companies can be found on the CNILwhich provides tools, file or clause templates to comply with the DPMR. In order to be ready on time, companies can also get closer to a Industrial Property Attorney to take stock of the various elements that need to be improved for compliance.