search
Where Thought Leaders go for Growth
Reference a solution

RGPD 2018: the essentials you need to know to prepare your business

RGPD 2018: the essentials you need to know to prepare your business

By Grégory Coste.

Published: October 28, 2024

All our articles on RGPD :

  • The views of 3 experts (Google, Crayon, Infoclip)
  • Who is affected by the new regulations?
  • The must-read file on compliance is here.
  • Consult an expert's opinion :
    • The RGPD audit as seen by Alexis Quentrec, RGPD specialist, Nuageo
    • A boon for marketers according to Olivier Martineau, CEO, Spread
    • An example of a data processing register by Alain Garnier, CEO, Captain DPO
    • The processor's obligations according to Fabrice Perbost, Associate Lawyer, Harlay law firm
    • Data anonymization by Jérôme Chagnoux, GDPR Champion at Oracle
  • The benefits of the GDPR according to Julie Paci, Marketing Manager, Mailjet

What is GDPR 2018? It's the General Regulation on the Protection of Personal Data, which comes into force on May 25, 2018 in the European Union. The CNIL makes it clear: people's rights are strengthened and companies must fulfill numerous obligations regarding data protection and processing to comply with the GDPR (General Data Protection Regulation).

appvizer gives you all the keys to understanding this new law, the importance of IT security, and shares compliance tools:

What is the GDPR?

Let's start by addressing the simplest notions for understanding the RGPD and its general principle.

RGPD in a nutshell

The acronym RGPD stands for General Data Protection Regulation. We also use the English acronym GDPR, which stands for General Data Protection Regulation.

The GDPR is a European regulation defined by the European Parliament and the Council of the European Union. This regulation reforms the rules governing the processing of personal data.

This new law is applicable on May 25, 2018 for any company processing the personal data of a European person, whether or not this organization operates within the European Union.

In summary, the RGPD:

  • provides that a person's consent is unconditional for collecting and processing their data,
  • sets out mandatory actions for companies to take to ensure compliance,
  • heavily penalizes any offending company by giving citizens recourse.

The right to dispose of personal data

This regulation specifies and reinforces the rights of every European:

  • data portability: EU citizens must be able to take back their data from one service and pass it on to another;

  • transparency of data use: citizens must be informed of how their data is used. They must be able to access and modify their data as they see fit;

  • minors under the age of 16 are protected: on the Internet, any platform must obtain the consent of a parent before a child can register;

  • a protection authority: if a citizen encounters a difficulty or observes an anomaly in the processing of his or her data, he or she can contact a single authority in his or her country to defend his or her rights;

  • companies outside the law punished: any company that fails to respect citizens' rights is liable to a fine of 4% of its worldwide sales;

  • the right to be forgotten: in accordance with the principle of respect for privacy, citizens can demand that a web page be removed from search engine results (de-indexation of the page).

What data should be protected?

Whether collected and used via a secure online platform, on the Internet or elsewhere, all personal data must benefit from protection guarantees established by the European regulation:

Data protection principles must be applied to any information concerning an identified or identifiable natural person.

Source: Directive 2016/680 of the European Parliament and of the Council on the RGPD published in the Official Journal of the European Union on April 27, 2016.

Examples of personal data to be protected under the RGPD:

  • gender,
  • age,
  • telephone number,
  • email address,
  • salary or remuneration,
  • facial photograph,
  • postal address,
  • marital status,
  • login and password,
  • credit card number,
  • social security number,
  • whether you wear glasses (and the degree of correction),
  • any physical characteristics,
  • any psychological characteristics,
  • etc.

Examples of sensitive information collected, for example, to monitor or manage a site open to the public:

  • political opinion,
  • union activity,
  • religious (or agnostic) beliefs,
  • sexual preferences,
  • medical information,
  • biometric analyses,
  • criminal convictions,
  • data concerning minors.

Any data collected for consumer profiling purposes must also be protected and fall within the framework of transparency imposed by law:

  • data collected on the Internet via cookies,
  • analysis of the behavior of identified web users (behavioral data),
  • online or offline consumption habits,
  • advertising retargeting,
  • metadata concerning an individual,
  • etc.

Companies concerned

Regardless of its geographical location, any company is concerned by the RGPD from the moment it processes the personal data of a European. The law makes no distinction between a company operating in Europe and a company based outside the European zone that collects and processes the data of a European citizen or a foreign citizen residing in Europe.

Am I affected by the RGPD?

Your organization is concerned if in the course of your business you use at least one of the following words: prospect, customer, employee, colleague, patient, taxpayer, citizen, user, user, member, donor.

Do you store data in CRM software, on an online platform or in a file?
Do you collect, process and use private data from European citizens?

Since the RGPD protects the citizen, there's a 99.9% chance you'll be affected!

The European Regulations 2018 apply to the following companies and organizations:

  • local authorities, administrations,
  • companies (human resources managers, customer data processors),
  • associations (professional, political, religious, etc.),
  • hospitals and medical professionals,
  • hosting companies,
  • cloud backup companies,
  • data storage services,
  • software and IT system publishers,
  • VSEs, SMEs, etc.

Those responsible for data protection

The law stipulates that all companies involved in any stage of data processing are responsible for data protection.

The supervisory authority in France is the CNIL. This body issues certifications, carries out checks and sanctions companies that fail to comply with the regulations.

Here are the main players who must be held to account at the CNIL's request:

  • The company handling personal data: as data controller, it must adopt a transparent code of conduct, deploy compliant procedures and provide documentary evidence in the event of an inspection;

  • The Data Protection Officer ( DPO ): this expert is appointed by the company to ensure the best possible data protection. His or her mission is to support the company, in complete independence, so that it complies with the RGPD ;

  • The subcontractor: its responsibility is engaged as soon as its activity is related to data processing; whether its head office is in Europe or elsewhere, it too must be compliant.

Compliance and obligations

To prepare your company for RGPD compliance, appvizer provides a detailed guide. Here are the main outlines.

4 articles to remember from the European law

Directive 2016/680 of the European Parliament and Council on the RGPD appeared in the Official Journal of the European Union on April 27, 2016.

Through its articles of law, this official text of the RGPD regulation specifies important notions:

  • Article 4, "Principles relating to the processing of personal data", insists in particular on the lawful and fair aspects of processing, on the relevance of the data collected in relation to the purpose of use, as well as on reasonable retention of information over time (12 months).

  • Article 28, "Prior consultation of the supervisory authority", states that the data controller is required to provide an impact analysis to its supervisory authority on request. This authority assesses data protection conditions.

  • Article 32, "Appointment of the data protection officer", requires all companies to appoint a data protection officer (in addition to the data controller) who is well versed in technical and legal issues, and capable of reporting to the supervisory authority to which he or she reports.

  • Article 37, "Transfers subject to appropriate safeguards", emphasizes that the transfer of personal data to a country outside the European Union requires the data controller to inform the supervisory authority, and to provide it with documentation specifying the "appropriate safeguards" for data protection.

Mandatory actions and documents

These extracts from the European regulation reflect some of the new obligations of the company responsible for processing.

This new regulation makes companies more accountable: they become data controllers, and are required to document their compliance. This principle is known as Accountability.

Here are the main obligations to honor and document in order to comply with the RGPD:

  • Keep a data processing register including: data controllers, nature of data, purposes, classification of processing, retention period, flow and transfer of geographical data to establish data traceability ;

  • Carry out a Data Protection Impact Assessment (DPIA): this comprehensive study identifies the risks of data loss or leakage, their causes, and lists the resources and technical solutions required for protection and security;

  • Implement internal procedures: raise employee awareness and establish best practices, put in place all mandatory processes enabling data owners to exercise their rights (rectification, portability, deletion, etc.);

  • Deploy technologies that guarantee data confidentiality and security: all procedures must be detailed in writing, and it is strongly recommended to integrate a high level of security and confidentiality right from the design stage of a processing operation and related technology. This approach is known as Privacy by Design;

  • Supervise the transfer of data outside the European Union: check its contracts with its subcontractors and suppliers, ensure that they comply with RGPD standards in order to rule out any risk ;

  • Keep evidence of consumer or user consent;

  • Detail established procedures in the event of data breaches: you are required to notify the data subject as quickly as possible and notify the supervisory authority within 72 hours.

Sanctions

While the fines are high, we must not forget the damages that every citizen can claim: in addition to the financial loss, the repercussions on the company's image can destroy its reputation, and mathematically reduce its activity following the loss of customer confidence.

Fines

Fines can be as high as 10 million euros: if the supervisory authority finds that a company has failed to meet its obligations, such as carrying out an impact analysis (DPIA), keeping a register of data processing operations, implementing security processes (including for subcontractors), or adopting the Privacy by Design approach, the company in question is liable to a fine equivalent to 2% of worldwide annual sales.

In this case, the fine can reach 20 million euros: if the supervisory authority finds that the company does not meet its obligations on the principle of consent and does not respect people's rights, the fine rises to 4% of worldwide annual sales.

The position of the CNIL

In an article in Les Echos (dated 18/02/2018), Isabelle Falque-Pierrotin, President of the Commission Nationale de l'Informatique et des Libertés, provides the following clarifications on the CNIL's control strategy:

We're going to be pragmatic and flexible. There are a number of RGPD principles that are not new. For example, the obligation to have to specify the purposes for which personal data is collected, or the limits on how long a piece of data can be kept. On these points, we will check on May 26, as we did on April 12. On the other hand, when it comes to new principles or tools, such as the right to data portability from one service to another, data protection officers or the processing register, we will adopt a supportive stance. Our aim will not be to immediately sanction breaches of new obligations linked to the RGPD. This will certainly last for the duration of 2018. After that, we'll see.

Compliance tools

The CNIL is going to be accommodating in 2018 with companies that show good faith. The important thing is to start the process and give yourself the means to honor the requirements demanded by the regulation. Here are some RGPD compliance solutions to achieve the goal with peace of mind. Read more.

ORYGA: personal data governance

  • processing purposes are aligned with your personal data governance,
  • pre-filled processing sheets according to purpose to save time,
  • integration of the privacy by design approach into the solution,
  • traceability of data and requests to exercise rights,
  • detailed security processes,
  • integrated event and risk management.

Compliance Booster: on-demand compliance solution with DPO

  • impact analysis (DPIA),
  • data processing register,
  • outsourcing your DPO (specialized lawyers),
  • preservation of proof of consent,
  • transmission of proof of consent to the CNIL within 72 hours,
  • fully computerized and traceable documentation of your security processes.

Confidence-building argument: Compliance Booster covers the financial risk of up to 90 million euros in the event of an error on its part.

Privacil-DMPS: compliance tool for DPOs

  • DPIA summaries to determine priority actions,
  • a synoptic view of completed and upcoming actions,
  • simplified procedures for managing access and exercising rights concerning personal data,
  • the purposes of processing are determined,
  • procedures for restricting or destroying data on request.

Notification to the CNIL within 72 hours in the event of a data breach may contain additional information, such as the name and contact details of the DPO, the nature of the breach and the persons concerned, the consequences and potential risks, and the triggering of appropriate procedures.

Long-term benefits

The advantages of the RGPD for a company or organization are beneficial when the regulation is considered in all its long-term aspects.
A summary of the benefits to come.

A new era of trust

This security requirement that gives power back to the consumer will inspire trust:

  • consumer trust in responsible companies that respect the rights of individuals with regard to their data,
  • trust between companies, which now rely on common standards.

A new business climate

Transparency will create a new climate of trust conducive to business.

Companies that assume their responsibilities project a positive image and win the loyalty of their customers. Purchasing behavior and opinions expressed on the web and social networks will steer choices towards the most transparent and respectful companies.

This will mark the end of opaque businesses where personal data management is not taken seriously.

In addition, trade barriers between European Union countries - this also includes companies outside the European Union, as the subject of RGPD is very much in vogue in the USA - will fall as a result of common processing compliance rules.

Reduced costs

What did we do before the RGPD? We multiplied our compliance costs by 28 countries (28 different laws). RGPD will simplify the current IT imbroglio.

The common standard will lead to the detection and elimination of "duplicate" processes and applications. Rationalization of resources and operational processes follows, resulting in budget savings.

More effective marketing

All digital marketing actions will automatically benefit from :

  • up-to-the-minute personal data- goodbye erroneous information,
  • proven consent, which will improve the targeting and effectiveness of email campaigns in particular,
  • centralized data processing- no more different versions of customer files

Ultimately, the marketing department will save time, refine its segmentation and implement better customer acquisition campaigns.

Article translated from French