But what exactly is the GDPR?
The GDPR, standing for General Data Protection Regulation, is a European law enacted on 24 May 2016 and applied since 25 May 2018.
The text provides for and governs use of personal data and therefore impacts all companies collecting personal data on French citizens in France, Europe and everywhere else in the world.
What exactly is personal data anyway?
In French law, personal data means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more pieces of information specific to them.
Examples of data enabling direct identification:
A customer file, a payslip, an invoice, and any other document (regardless of the medium) that enables identification of a person.
Examples of data enabling indirect identification:
It’s called indirect identification as the data alone are not enough for identification. They require cross-referencing with another data source: a telephone number, a license plate, an address, a social security number are all examples of data enabling indirect identification.
Why implement such a regulation?
The last directive enacted was in 1995. Practices and behaviours evolved considerably over 23 years, and the European Union wanted to accompany such changes while giving citizens back control over their personal data.
Ultimately, the GDPR has 3 objectives:
- Strengthen European citizens’ rights
From now on, every European citizen can access, rectify and object to the data collected by a third party.
The GDPR also makes it possible for people to exercise the right to erasure and to oblivion, request limited processing of data, and even recover all the data collected on them.
- Harmonise data processing at European level
Prior to adoption of the GDPR, all 28 European Union countries applied the 1995 Directive in their own way. This is also the very essence of a directive: it’s a legal act adopted by the EU Council, setting a certain number of objectives to be achieved within a given timeframe while leaving States free to do so in their own way.
- Build more trust between collectors and collected
If the people whose data is collected have more rights, the collectors have more responsibilities and must be able to ensure maximum data security. Recent events such as the leakage of 2.7 million users’ data (Cambridge Analytica) are highly undesirable, which is one of the reasons why the European Commission says it’s ready to crack down on breaches of the regulation.
How do you stay in compliance with the GDPR?
As we’ve seen previously, all companies (private and public alike) are required to comply with the Regulation.
If you’re a public authority, or your core business is related to the processing of data that are sensitive to a greater or lesser extent, the first step is to appoint a Data Protection Officer(DPO) or GDPR Manager. This profile is a cross between legal specialist and technical manager, and is responsible for ensuring data protection through “privacy by design“, collection compliance (accountability), and reporting any personal data breach.
The second step consists of identifying all the processes concerned by the GDPR and then calculating their levels of compliance by subjecting them to a Privacy Impact Assessment (PIA)).
The third step is to keep an in-house register of processing operations and their progress (processed, underway, upcoming). It’s this register that the CNIL will be looking at in the event of a control.
Finally, prevention with your data processors is essential! Among other things, the GDPR requires that the relationship between data controller and data processor be strictly regulated and formalised in a written contract.
What are the risks in the event of a breach?
Since 25 May 2018, absence of consent to data processing or of a legal basis to do so, failure to respect the aforementioned individual rights, etc., has led to imposition of administrative fines of up to 20 million euros or 4% of the previous year’s global turnover.
A further level is also provided for, up to 10 million euros or 2% of global turnover for more specific infringements (absence of personal data processing register, absence of timely notification of a security breach leading to data loss, etc.)