The General Data Protection Regulation (GDPR) (EU) 2016/679


Effective 25 May 2018, this new European regulation will come into force in France, completing the French law N°78–17 of 6 January 1978, « Information Technology & Liberties » Law

“IT should be at the service of each citizen (…). It should not damage human identity, the rights of man, privacy, personal and public privacy rights.”

The aim of this new regulation is to preserve and guarantee these principles; and supply a clear framework for all involved. It is easier to ensure that these good practices are respected when they are embedded in clear directives that apply throughout the European Union.

I. What is meant by « Personal data »?

The CNIL considers a person to be identifiable when a file contains information enabling that person to be identified indirectly thanks to their address, IP, name, identity number, telephone number, photo, biometric print or any other type of information allowing a person to be singled out (place of residence, profession, gender, age…)

II. What does the text say ?

Two main objectives : reinforce citizens’ rights with respect to data processing and render companies who process data more accountable.

Rights defended by the text

- the right to oblivion: enabling citizens to ask for personal data to be deleted

- the right to data portability: consists in the ability to shift personal data from one place to another in a structured, widely used format so as not to be tied to a particular system

- the right to restriction: consists in the ability to request the suspension of data processing operations (and not deletion). Companies must therefore adapt their IT systems in order to stock data without the latter being processed or modified.

III. Complying with the Regulation

There are six key steps :

Stage 1: Appoint a Data Protection Officer

Appointing a Data Protection Officer for data protection is not mandatory for companies in the private sector. This depends on the type of business. If your activity is based on personal data, then a Data Protection Officer must be appointed. If personal data processing is a secondary activity in your business or represents small volumes, it is not necessary to appoint a DPO.

Stage 2: Personal Data Processing Mapping

Carry out an inventory to evaluate the quantity of data that your business processes itself or contracts out. Without a full inventory, it is impossible to evaluate the impact of the new regulation. The inventory is required by the CNIL under the denomination “processing register”.

Stage 3: Prioritization

The register also serves as a road map for the different tasks that need to be completed. Compliance priorities need to be evaluated according to the risks linked to the type of data collected and how they are processed.

Stage 4. Risk management

Nine risk criteria linked to data processing have been defined:

1. Evaluation or rating

2. Automated decision with legal or equivalent significant impact

3. Systematic surveillance

4. Sensitive or extremely private data

5. Personal data processed on a large scale

6. Cross-referencing the data

7. Data concerning vulnerable individuals

8. Innovative use or the application of new technological or organizational solutions

9. Withdrawal of the right to a benefit, a service or a contract

If the data processing operation corresponds to at least two of the above criteria, it is recommended that a Data Protection Impact Analysis be carried out. Proof of compliance with the regulation requires the preparation of records that should be kept updated.

Stage 5. Implementing internal processes

Protecting data effectively requires internal procedures to anticipate aleas: incidents, rectification requests, modifications, supplier changes…

Stage 6. Record-keeping

To prove compliance with the new regulation, records need to be kept and updated regularly.

IV. Impacts


Some examples :

Sending out newsletters

The rule is simple : the clear and explicit prior consent of the internaut to use his/her email address for marketing or commercial reasons is required. In addition, the internaut must be able to change his/her mind easily.

CRM & RGPD software : your software must be compliant

A CRM is a “data sub-contractor”. And your company is responsible for the data transmitted and also the responsible handling of these data by the CRM system in compliance with RGPD.

Measuring traffic requires consent of the visitor’s consent that can be withdrawn at any time

The pop-ups that are used on many websites, asking internauts to accept the use of cookies whilst they navigate on the sites, must be far more explicit. The internaut also reserves the right to withdraw his/her consent at any time.

Notify any violation of personal data

The new law requires official notification of any privacy/data breach to the control authority (ie. CNIL for France), within 72 hours.

Conclusion


Data processor any pretty much like robots according to Asimov:

A data processor may not injure any private data or, through inaction, allow any private data to come to harm.
A data processor must obey orders given it by human beings except where such orders would conflict with the First Law.
A data processor must protect its own existence as long as such protection does not conflict with the First or Second Law.

Glossary:

GRDP = General Data Protection Regulation
DPO = Data Protection Officer
CNIL = Commission nationale de l’informatique et des libertés (France governmental Commission)
CRM = Customer Relationship Management

GRDP Infography