The General Data Protection Regulation (GDPR) is a European regulation valid throughout the European Union on how companies and other organisations must behave with regard to personal data. It is the most important initiative for data protection in the last 20 years. It has important implications for any organisation that offers its services to EU citizens.
To enable citizens to control how their data is used and to protect "the rights and freedoms of natural persons", the regulation sets out strict requirements on data processing procedures, transparency, documentation and user consent.
Every organization must keep an archive of its personal data processing activities and keep track of them.
As data controllers, every organisation must keep an archive of its personal data processing activities and keep track of them. This applies both to personal data processed within the organisation and to personal data processed by third parties. They must be able to account for the type of data processed, the purpose of the processing and the countries and third parties to which the data are transferred. Data may only be transferred to other organisations that comply with the DMPR or to organisations whose jurisdictions are deemed "suitable".
Definition of the DMPP :
The DPMR defines personal data as "any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity". Online identifiers such as IP addresses are considered personal data, unless they are made anonymous. Pseudonymous personal data is also subject to the RDPG if it is possible to identify the originator of the data by reverse engineering.
All consents must be retained as evidence that consent has been given.
In the event of a data breach, the company must be able to notify the data protection authorities and the individuals concerned within 72 hours.
In addition, the DPMR obliges public authorities and companies handling sensitive personal data on a large scale to employ or train a Data Protection Officer (DPO). The DPO must take measures to ensure compliance with the DPMR at all levels of his or her organisation.
In practice: what does RGPD mean for my site?
Your site presents your activity and your company. You propose a contact form and possibly the subscription to a newsletter. The ideal is to take into account the data protection from the conception of the site. For example, take care that access to the content of your site is not conditional on subscription to your newsletter.
Some basic reflexes are to be remembered:
- You must have a page of legal notices identifying the publisher of the site. All websites, whether they are published for professional or non-professional purposes, must display mandatory information for public information. Start already by using a free RGPD legal notice generator. In a few minutes, you will be able to generate your RGPD-compatible notices. All you will have to do then is read them carefully and make the last modifications you deem necessary before publishing them on your site. In case of doubt, turn to the experts at Domaine Legal who will provide you with legal expertise. To find out more: Article " What are the mandatory mentions on a website? ».
- A means of contact so that people can exercise their rights electronically ;
- Finally, we recommend that the entire site be secured: the entire tour route must be in https.
Attention, a pre-ticked box is no longer acceptable; likewise, acceptance of the general terms and conditions does not constitute consent.
If your website serves people from the EU and you or integrated third party services (such as Google and Facebook) handle personal data of any kind, you must obtain prior consent from each visitor.
In order to obtain valid consent, you must, before handling personal data, describe the scope and purpose of the operations you perform on the data in a language easily understandable to visitors.
All consents must be archived and any tracking of personal data (including from integrated third party services) must be documented, as well as the list of countries to which the data is transmitted.
Depending on your business and the use of data, you may need to call on the services of experts.
and on social networks?
From Twitter, Facebook, and other social networks, plan to :
- to make available an article or link to a rights information page. Anticipate the effects of an online communication operation (emailing for example);
- a standard response to dissatisfied Internet users, who would exercise, for example, their right of opposition. The responsiveness and effectiveness of your response contributes to your online reputation (or e-reputation).
DPGR compliance and requirements: DPGR courses, training and certifications
You can obtain the certificates EU GDPR Foundation (EU GDPR F) and EU GDPR Practitioner (EU GDPR P), both ISO 17024 accredited, through various training courses such as those offered for example by IT Governance. The International Association of Privacy Professionals (IAPP) also provides web-based course.
DPMR Compliance Software :
There are many tools, frameworks and software available to help you comply with the requirements of the DP Regs, such as the DPOrganizerwhich offers to help you organize your data in full compliance.
Useful links :
- A Guide to the DP Regs for Small and Medium Enterprises
- CNIL: RGPD in practice: communicating online
- Take a look at the EU information page.
- Also look at theEuropean Commission infographics.
- Data Protection Regulations (download in PDF format)
- European Commission: Protection of personal data
- Suitable" countries for the DPGR
- Information Commissioner's Office (ICO): UK data protection reform
- Confidentiality by design: the 7 fundamental principles (PDF)