What are the obligations and concrete applications for companies?
The General Data Protection Regulation (GDPR) represents an important modernization of European laws on this subject. It will enter into force in all member states of the European Union in May 2018.
The GDPR data protection regulation is intended to be a counterweight to the spectacular advances in technology and in particular the Internet which over time allow merchants, advertisers and other organizations to recover more and more personal data and make massive use of it without the persons concerned necessarily knowing it and / or being able to request that the exploitation of the data concerning them cease.
It is very restrictive for companies and for all systems that process personal data. All European companies and all companies that manage data on European territory or of European citizens are affected. Failure to comply may result in fines of 4% of a company’s annual global turnover or 20 million euros (section 83.6 of the Regulations).
Extension of the concept of personal data
A “personal data” is for the GDPR “any information relating to an identified or identifiable natural person”, “directly or indirectly”, in particular by a name, an online identifier or location data.
This implies that in addition to obvious personal data such as name, email, elements such as IP address, geolocation or crossed cookie information are also concerned.
5 essential points
We can summarize the essentials of the GDPR in 5 points.
1. Mandatory notifications of data breaches
The regulations oblige to report any data breach (or personal data breach) within 72 hours .
This has an obvious impact on the relationships that any company maintains with its service providers since each member of the chain will have to assure the others that it has put in place all the measures necessary to avoid data leaks.
2. Right to be forgotten
The right to be forgotten, already implemented for Google search results, is extended. Concretely, the websites and organizations which manage data must respond positively to any request for deletion of personal data.
3. Reinforcement of the obligation of consent
The GDPR signs the end of the default agreement regarding the use of personal data.
It will also be up to the data managers and their processing to prove that consent has been obtained. They should also keep track of this consent.
The agreement must be requested clearly and separately. This implies for example that on a website, the request for data recording must be the subject of a separate form, without pre-filled boxes.
Anyone agreeing to the use of their data may reverse their decision.
Also, note that companies can no longer make the use of their service subject to the refusal to use personal data.
4. Collection of data only for specific, explicit and legitimate purposes
Companies must specify the purpose of the data processing and only recover the data necessary for this processing.
The data retention period may not exceed that necessary for this purpose.
5. Responsibility for data management
Companies that manage personal data must at all times be able to prove that they comply with the General Data Protection Regulations (GDPR). In France it is the CNIL which will verify this.
If the company has more than 250 employees, it must have a DPO (Data Protection Officer), whose role will be to:
• Monitor the implementation of the GDPR and staff training, with a de facto focus on marketing, communication, and HR.
• Describe the processes and purposes of data collection, the flows of data collected, their nature and the actions of any subcontractors (and keep an updated register of all processing of personal data and of the subcontractors having access to it; this register must be permanently consultable by the CNIL).
• Register the recipients of personal data, the location of these and the time limits for their erasure.
• Manage responses to requests from the supervisory authority, individuals and resolve any cases of GDPR violation.
Significant changes, including at the contractual level, will have to take place so that all the actors in a data processing chain can jointly guarantee their security and compliance with the GDPR. Specific clauses are recommended on this subject in contracts with subcontractors.
Until now, the use of personal data was often made without asking the authorization of the persons concerned or by having them confirm their agreement by default.
The GDPR reverses this state of affairs by preventing by default the collection of personal data from individuals and by anyway limiting it to a specific framework and use.
Concretely, each company will have to prepare for the GDPR because even from its website, it retrieves data. Only data strictly necessary for the pursuit of your objectives should be collected and processed.
The recovery and processing of data must be carried out within the framework of a contract with the consent of the person (obtained by comprehensible system means and separate from the collection) and the information notices must comply with new laws.
The means of access and correction / deletion of data by the persons concerned must be put in place.
A data security system making it possible to avoid or warn of data leaks must be set up, also involving (technically and legally) the service providers or subcontractors having a relationship with this data.
Finally, large companies will need to have a DPO .