GDPR compliance in business
The development of technology, and especially the Internet, is not without risk for users. In order to protect them, the GDPR has therefore been put in place. The objective is to have a framework that respects the right to privacy and personal freedom.
It is up to each company to put in place a policy with a view to its GDPR compliance.
What’is GDPR compliance ?
GDPR stands for General Data Protection Regulation. This is a European directive which sets out the rules to be followed for the processing of personal data.
She appeared in 2015, but was not applied only on May 25, 2018. Its main objective is to protect European citizens from malicious use of data concerning them.
The implementation of the GDPR was a need with the advances made in data gathering. The risk is that they fall into the hands of malicious people. This directive has been defined in order to have a framework that governs the access and use of this personal data.
GDPR compliance is mandatory for all structures required to handle personal data, whether these relate to internal employees, prospects or customers.
The directive applies to companies as much as to administrations, associations or local authorities. The measures put forward are binding on the persons and structures responsible for data processing. External service providers are also concerned, given the danger of IT outsourcing.
The particularity of the GDPR is that it affects all the structures that deal with data belonging to a European citizen. The regulations are therefore not only in force in Europe. It can be mobilized on a global scale, when the data handled belongs to a citizen of a European country.
GDPR compliance: collection of personal data and collection of consent
After bringing your company into compliance, you will receive a certification from the CNIL. Of course, readjustments may be necessary in order to achieve this. Besides, what do we really mean by personal data? ? Why and how to protect your personal data ? Which measures must be observed according to the GDPR ?
What personal data means
Is considered as personal data, all information which makes it possible to directly or indirectly identify a person. This can be a name, phone number or customer number. Information that refers to physical, social, physiological or genetic characteristics is also considered personal.
The same goes for photos or a vocal score.
We then talk about processing of personal data to designate any operation carried out concerning the type of information mentioned above. This operation can be the collection, organization or modification of this data.
The obligations arising from the GDPR
Whatever the nature of the data used and the objectives targeted, there are obligations which you must comply with in accordance with the GDPR:
- First of all you need to get the consent of their owners for processing;
- The operation performed must have a specific objective, in line with the needs of your business;
- The owner must be able to keep control of information about yourself and decide on their use. He can, for example, exercise his right to be forgotten or to rectification;
- You must implement a security solution for the data you have in hand and guarantee their confidentiality ;
- You can keep the data for a limited time period. A solution that allows them to be systematically deleted once the deadline has been reached will therefore be necessary.
How to comply with the GDPR ?
Complying with the GDPR means putting in place data management policies that guarantee their safety. This will be done through a set of steps that you must begin to implement. There CNIL (National Commission for Data Protection) recommends four actions to align with regulations now in force.
The development of technology, and especially the Internet, is not without risk for users. In order to protect them, the GDPR has therefore been put in place. The objective is to have a framework that respects the right to privacy and personal freedom.
It is up to each company to put in place a policy for its compliance with the GDPR. The actions to be taken to make your website compliant are not the simplest and require solid technical knowledge. VS’is why, whether you are a VSE / SME or a business’a more substantial size, we specify from the outset that’it will be better to use the services of’an experienced GDPR agency, which will be able to support you in this task, ensuring 100% successful GDPR compliance.
Develop a register dedicated to data processing
It will allow you to follow all operations involving the processing of personal data in your business. It facilitates their management thanks to a centralization of the information concerning them.
The idea would initially be toidentify the divisions within your organization that may process personal information. This may be the department in charge of recruitment, customer files, personnel, etc.
It is then necessary to constitute a form for each of them and to specify:
- The nature of the information recorded;
- The purposes for which the data is processed;
- The people authorized to access it;
- backup time.
THE register must be held by the manager who will exchange regularly with the employees concerned in order to update it.
Sorting recorded data
It will be useful to check all the information in your database. The objective is to ensure compliance with the policy in place:
- Make sure you only hold the data that is useful for your activity ;
- Check that the people who have access to it are those who have a authorisation ;
- Identify any data sensitive and make sure you have the right right to deal with them;
- watch the data retention period in order to never exceed the imposed deadline.
Apply a transparency policy
The persons who own the data have the right to know the policies put in place for their processing. Likewise, at all times, they must be able to exercise their personal rights over this information.
You are therefore required to inform at the time of collection. You can do this through a web form or a dedicated page that highlights your privacy policy.
It is also important to set up a frame which allows them to easily exercise their right. For example, you can provide an email address that they can use to request access or deletion of data.
Strengthen security
The establishment of a method of data encryption or the regular updating of the software used are among the initiatives that you must undertake to guarantee the security of your database. In the event of a fault in your system, it is your duty to inform the CNIL as well as the persons concerned.
The role of the DPO in ensuring compliance’business
There mission of the DPO or Data Protection Officer can be summed up in these four points:
- It helps the company to map personal data that it will be required to process;
- Heinformed Regulations in force, advises it on policies to implement in order to respect them and support it for its implementation;
- He checks the GDPR compliance ;
- It serves intermediary with control bodies such as the CNIL.
It is the DPO’s responsibility to manage the processes related to data processing and which allow compliance with the GDPR. Moreover, you can entrust him with the processing register. You should also contact him for all questions concerning him.
The position can be occupied by an internal person or an external service provider.