General Data Protection Regulation
General Data Protection Regulation (also known as GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). (Wikipedia)
Contents
6 steps to GDPR compliance
Step 1 : choose a pilot
The DPO doesn’t have to be a person with a legal background. His mission is to inform, advice and make internal control : the DPO (Délégué à la Protection des Données). CNIL resources available :
- Le CIL et le futur délégué à la protection des données [WEB]
- Guide pratique de la prise de fonction du CIL [PDF]
- Devenir délégué à la protection des données [WEB]
Step 1 is achieved if :
- CIL/DPO is appointed
- He has proper ressources, financial and HR, to achieve his mission
- Onboarding of ALL staffs has started
NOTE : we can have ONE DPO for several companies grouped together, since the job can be outsources/mutualised
Step 2 : cartography
Make an extensive inventory of your personal data processing
CNIL ressources available :
- Modèle de registre européen [EXCEL]. (NB the template provided is more exhaustive than the GDPR requirement)
- Exemple de fiche de registre CIL [PDF].
Step 2 is achieved if :
- Workshops have been done with all departments within the company
- Inventory of all data processing is achieved by main purpose and type of data processed
- Subcontractors are identified for each processing, RT (Responsable de Traitement : Processing Owner) knows where data is send to whom
- RT knows where data is stored
- RT knows how long are stored the data, when and how the data is destroyed
Step 3 : priorities
from your registry, identify your actions to achieve to comply with your current and future obligations. Prioritize your risk exposure taking the perspective of the risk upon on the liberty and rights of the person involved (not the perspective of the company).
CNIL ressources available :
- Guide pratique pour accompagner les sous-traitants [PDF]
- Exemple de clauses à insérer dans les contrats entre RT et ST [PDF]
Step 3 is achieved if :
- Sensitive data and sensitive processing are identified
- First actions are implemented
Step 4 : Risk management
Make an impact analysis on data protection (DPIA for Data Protection Impact Assessment) when the risks are considered high. In particular is 2 of these conditions are met :
- évaluation/scoring/profiling;
- automated decision making with legal impact;
- systematic surveillance ;
- sensible data collection;
- large scale personal data collection;
- cross-matching data ;
- vulnerable populations (elderly, sick, kids…);
- use of an innovating technology;
- Loss of a specific right or benefit.
CNIL ressources available :
- DPIA howto
- DPIA Overwiew infography
- Guidelines in french | Guidelines in English
- Opensource PIA software
Step 4 is achieved if : All necessary measures are in place to manage risks of breach of privacy for individuals (access control, data anonymization, etc.)
Step 5 : organise
Set up the proper set of practices and procedures to guarantee that personal data protection is maintained at all times, considering all possible events in the data lifecycle : security breach, handling modification and access, etc.
Ressources available :
- PCM tool by Data Transition
- BCR tools by CNIL
Step 5 is achieved if : A full lifecycle management is in place, including supervision, proactive monitoring, escalation process, handling reports and complaint, and reporting.
Step 6 : document
Maintain an audit trail and regularly
Step 6 is achieved if documentation exists, i.e. :
- registry of all processings (for RT doing themselves) or of processing categories (if subcontractor)
- Impact analysis on data protection (see PIA step 4) for ALL processings that can potentially bear a high risk for individuals, rights and liberties
- personal data transfers outside of European Union, in particular contractual framework or BCR are duly framed.
