The new General Data Protection Regulation (GDPR), you’ve heard about it at the local coffee shop, in the media, everywhere on the web, in presidential speeches…
Ah, no? Then let me give you a little recap. Because if you have a marketing function, this will inevitably impact you in the next few months.
What is changing with the GDPR
On May 25, 2018, a new regulation will go into effect throughout the European Union. It aligns European countries on the subject of personal data processing and management. To the point that all companies, even non-European ones, wishing to operate on the territory of the Union will also have to comply. Beware, the penalty can be quite harsh and can amount to 4% of the company’s worldwide turnover!
The objectives of the GDPR
They are as follows (see CNIL):
- Strengthen the rights of individuals, especially minors
- To make the actors dealing with personal data accountable
- To give credibility to the regulation through sanctions and transnational processing
It is information relating to a natural person (not a legal entity!) identified or identifiable directly or indirectly (with a cookie or IP address for example) by an “identifier“.
The main areas of application of the GDPR for companies
- The right to be forgotten: on a simple request, and unless there is a legitimate reason to keep them, a person can ask a company to erase his personal data. This company will also have to transmit the request to the other parties duplicating the data.
- The citizen (or lead, in our case), must also give his clear and explicit consent for the collection and processing of his data: for example, a checkbox, if it clearly and simply indicates how you will process the data. The “default” opt-in in the absence of an opt-out is therefore no longer relevant.
- Data portability: thanks to this law, people can transfer their data to another provider easily and without loss.
- Right to be informed quickly, especially in case of hacking
- Limitations on profiling: according to the official text, profiling is “any form of automated processing of personal data consisting of using such data […] to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict elements concerning the work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that person” .
The law provides that such profiling can only be used if the person gives consent or if it is necessary for the conclusion of a contract ̶̶̶ and not for discriminatory purposes.
- Protection of children and minors: parental permission is required to open an account on social networks, and the right to be forgotten granted to them is also clearer
Long story short: Privacy becomes the norm.
But then… what to do?
Don’t panic, one of the big changes is that we go from a declarative system with the CNIL to a total autonomy on the subject, from an a priori control to an a posteriori control.
You will only be controlled if a user files a complaint with the CNIL or if an internal or external fraud is detected (cyber-attack or other).
The CNIL provides six steps to prepare for the GDPR.
Appoint a Data Protection Officer
The Data Protection Officer, or DPO for the English version, is globally the new name of the CIL (Correspondant Informatique et Libertés). If you have already elected a CIL, he/she will become the DPO.
It is only mandatory for organizations whose core business is to process or collect personal data on a massive scale, and for those who hold so-called sensitive data (see www.cnil.fr).
This measure nevertheless allows to have a referent on all the subjects related to data protection. This person is in charge with informing the different actors, verifying the compliance with the texts, but also serves as a relay between the company and the concerned authorities. A word of advice: appoint a DPO who is capable of playing a cross-functional role, ideally attached to the general management.
Identify all personal data processing
Have a record of all the processing you do with personal data. For example, list all opt-in consents to receive content by email, all cookies collected and on which website, etc.
The CNIL summarizes it simply: Who? Who? When? Where? How? Why and until when?
- Once all the processing operations have been identified, plan an action plan to align with the missing, incorrect or misinformed information.
Managing risks through data protection impact assessment (DPIA’s)
When you conduct “risky personal data processing,” you will need to conduct an impact assessment on your data. You will often see the acronym PIA for Privacy Impact Assessment.
When the CNIL talks about sensitive data “at risk”, it means that the processing carried out on these data presents a risk to the freedoms of the persons concerned. There are three main cases:
- The data collected deals with “sensitive” subjects: religion, sexual orientation, judicial data, genetic data, biometric data, political opinions, health of a person ….
- The use of profiling with legal or significant consequences for the data subject
- Data is transferred to countries outside the EU
Develop internal monitoring procedures dedicated to the GDPR
The GDPR introduces, among others, a new principle of privacy by design. It is a question of providing, from the design of an application or a data processing, the measures of protection of the personal data recovered or processed.
It also includes all the steps to follow when a person complains about accessing, correcting or deleting personal data: how to respond? Who answers? Within what timeframe?
And, as for any new internal procedure, do not forget to communicate with all the actors directly or indirectly involved in the processing of this data. Make sure that your employees know who to contact, what to do and how to react to a request or a security breach for example.
Document all of the above points
Consolidate all related files into a comprehensive file that will demonstrate your compliance with the regulations.
- The impact study if there is one
- The register of personal data processing
- All procedures in case of complaints
- The register of consents
In the event of an audit, these will allow you to prove that
- you seek to comply with the regulations in force
- you are aware of the risks generated by your various data processing operations.
These six steps of the GDPR can, we will not hide it, seem quite tedious.
But when you step back, you realize that it also can really be very useful:
- To clean up and clarify all the data you process
- And thus have a global view of what is happening in your database
- To review your opt-ins and unsubscribed to start again on a clean basis
- Involve and raise awareness among all the people using this data
- Anticipate the risks of cyber-attacks
An essential point to remember from this long checklist is that we are moving to an a posteriori control: no one will come to monitor you every year!
However, if a complaint is filed, the CNIL will come knocking at your door to check that you are in order. The main thing will then be to prove that you are willing to do so. And that you have started to implement appropriate processes.
If you are missing a step, but you have a well-defined action plan and can show that measures have already been put in place, you should not be sanctioned.
Bottom line? Don’t panic, take your time to get clear on your data management and integrate it into your digital transformation project.
If panic rises, « keep calm and call us » !