What is the GDPR?
The General Data Protection Regulation is a logical evolution of the different texts regulating the protection of consumer data in the European Union. This regulation comes into force on May 25, 2018, in all Member States of the European Union. When it comes into force, it will replace existing national regulations.
What is the purpose of GDPR?
- to give European citizens control over their personal data.
- to simplify the regulatory environment within the EU for international businesses.
- to facilitate the free flow of personal data within the EU.
For businesses, the path to compliance is will be a major undertaking. They are going to have to adapt their tools and processes, with all considerable investment implications.
What are the steps to compliance?
Considering that 74% of French people are loyal to brands that protect their personal data (Accenture Strategy study, 2016) and that the GDPR will be mandatory in one year, it’s time to get started! However, according to a study conducted by Arondor, 45% of companies surveyed are still unaware of this new regulation. What’s more, only 24% of those who do know about it have given serious thought to its implications. There’s still lots to do … companies need to take the necessary steps to be ready, and this means deciphering the text of the GDPR.
To begin, here are some of the questions you need to ask yourself: Where do you store your data? Why do you have this data? Do you have consent from your consumers to use this data? Who can access this data? Who processes the data? How long do you store them? How do you recover them?
The next step, adapt your methods and tools: delete unnecessary data in your CRM (e.g., Ms. Smith has not been a client for several years, so why continue to store information on her monthly income?). Build an impact assessment (e.g., if there were a security breach, what are the major and minor risks?). Reword your contracts to include co-responsibility for data processing. Identify any potential security breaches. Write codes of conduct (e.g., traceability of requests from individuals related to their rights to be informed and to have access to data relating to them, etc.). Add the new legal notices on your communication materials …
Are you feeling overwhelmed by the magnitude of the adjustments to be made? The best advice I can give you is: do your research! For that, you can consult the CNIL, the French data protection authority, which has a major role in clarifying and interpreting the text. Thereafter, you could also consider appointing (or recruiting) a DPO. This Data Protection Officer will be responsible for raising awareness and training teams for a smooth journey to compliance. Hang in there!
Next steps: the “13 keys” to understanding the GDPR
- Expanded definition of what constitutes personal data.
- Establishment of records of processing activities to explain the purpose of data processing.
- Reciprocal commitment of responsibility for all parties processing data.
- Implementation of “privacy by design”: the amount of personal data collected should be restricted to a minimum.
- Need for an impact assessment before collecting data in order to identify potential risks related to their processing (e.g.. if there was a security breach).
- Determination of how potential security breaches should be addressed: definition; sanction; communication.
- Creation of a new role, the Data Protection Officer (DPO): mandatory in any company with more than 250 employees or one which processes a large amount of data.
- Principle of joint controllership: joint and equal responsibility.
- Reinforcement of the notion of prior consent: it is explicit and for a fixed term.
- Extension of individual rights: from 4 rights to 6.
- New territorial scope: every European consumer is protected, regardless of where they are connected (even if they are outside the EU).
- Supervision of transfers of personal data outside the EU: only with the consent of the person.
- Increased sanctions: up to €20 million or 4% of annual global turnover.