RGPD: 6 key steps and 3 tools to implement compliance

Preparing for RGPD compliance as a responsible business raises many questions that revolve around the security, confidentiality and traceability of personal data.

Would you like to understand the General Data Projection Regulation, which comes into force on May 25, 2018, what's changing for professionals, and meet your new obligations?

appvizer restates the steps recommended by the CNIL and enhances them with solutions for complying with the GDPR (General Data Protection Regulation) :

See all software General Data Protection Regulation (GDPR)

GDPR compliance: what the law says

Companies concerned in Europe and elsewhere

The General Data Protection Regulation defends the rights of European citizens and naturally applies to any company carrying out data processing in one or more of the member countries of the European Union.

The RGPD also requires companies to respect the rights of a non-European person, but for whom data is collected and processed within the European Union.

Consequently, processors based outside the EU must comply with the RGPD:

• if they are involved in processing the data of European citizens,
• if they are involved in processing the data of a non-EU citizen, but whose data is collected within the European Union.

All websites founded outside the EU and aimed at European citizens must comply with the GRPD, in particular sites offering French, German, Italian or Spanish language versions and displaying prices in euros. On the other hand, personal data must be hosted in countries offering the same level of guarantee as the European Union.

There are no territorial restrictions on the hosting of personal data. However, any host, whether European or not, must comply with very specific requirements and conform to the framework defined by the RGPD. The Privacy Shield, a treaty with the United States, for example, ensures the very high level of security and confidentiality required by the European regulation.

The main compliance officers

The European regulation considers that all players involved in one or more data processing operations share responsibility for data protection:

• The data controller : this is the company that uses the personal data. It is required to initiate processes and draw up documents specifying its code of conduct, internal data protection policy and certifications;
• The Data Protection Officer: this is a professional experienced in the uses and security measures of information and communication technologies. He or she is one of the guarantors of data protection. He or she is able to guide the company through the best practices to be adopted to ensure compliance with the regulations. The function of the delegate is described in greater detail below;
• The CNIL is the supervisory authority in France: it certifies companies' compliance and enforces the regulation on the processing of personal data. Upon request, it can ask for the documentary evidence that companies are required to keep on hand (detailed below). In the event of non-compliance, the company is liable to sanctions;
• Subcontractors: from the moment a service provider or supplier becomes involved in the data processing process at the request of the company responsible for processing, the subcontractor becomes responsible. The subcontractor is therefore required to meet precise specifications to guarantee data security, confidentiality and deletion, in other words, to comply with the GRPD.

A lawyer explains the subcontractor's compliance with the RGPD and 8 obligations to be met in a complementary artcicle.

The criteria for lawful data processing

Article 8 of Directive 2016/680 of the European Parliament and of the Council on the RGPD stipulates two points:

1 Member States shall provide that processing shall be lawful only if and insofar as it is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and it is based on Union law or the law of a Member State;

2. A provision of the law of a Member State which regulates processing falling within the scope of this Directive specifies at least the purposes of the processing, the personal data to be processed and the purposes of the processing.

To complete these elements of the official text, article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council mentioned by the CNIL on its site specifies the lawfulness of processing:

Processing is lawful only if, and insofar as, at least one of the following conditions is met:

a) the data subject has consented to the processing of his/her personal data for one or more specific purposes ;

b) processing is necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures taken at the data subject's request;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.


Point f) of the first paragraph does not apply to processing carried out by public authorities in the performance of their duties.

To illustrate point "d)": hospital information systems need to collect health information about a patient in order to treat him or her. This data processing is therefore lawful.

6 steps to compliance

Step 1: appoint a Data Protection Officer (DPO)

As a data controller, you are required to appoint a Data Protection Officer ( DPO).

The role of the DPO is to support your organization by steering the governance of the personal data for which you are responsible.

The Data Protection Officer is an impartial reference, a conductor who does everything possible to inform you, advise you and monitor compliance internally.

The supervisor works independently. It is possible to internalize this function, as in public institutions, or to outsource it:

• with a specialist service provider such as a lawyer, or an independent DPO,
• The current CIL (Correspondant Informatique et Libertés) can become the DPO, and see the scope of its responsibilities expand.

The DPO's missions :

• providing information and advice to all professional stakeholders: the company responsible for data processing, its internal employees, and external parties such as subcontractors;
• assessment and verification of compliance with RGPD obligations;
• recommendations for carrying out your impact assessment;
• monitoring the implementation of this study;
• collaboration with the supervisory authority: the DPO is the dedicated contact.

His obligations:

• keep abreast of all legal constraints and developments,
• study and observe what data is processed, and how,
• provide a status report,
• raise management awareness of all the implications of European regulations,
• implement actions to engage managers,
• steer the implementation of compliance and monitor it over time.

Skills :

• mastering IT rights and freedoms,
• understanding how information and communication technologies work,
• negotiation skills,
• a flair for communication,
• project management experience.

Certification of his or her expertise is advisable with regard to accountability: this is the principle of responsibility that requires the company to be able to prove its compliance with the RGPD through various documents and means deployed.

Step 2: keep a register of processing operations and assess the impact of the RGPD.

It's an obligation and legal proof: your data processing register can be consulted on simple request from the CNIL.

This register demonstrates its usefulness because it enables a company:

• map the processing of personal data,
• have a clear view of data security,
• draw up a complete and detailed assessment of procedures,
• determine what actions need to be taken to guarantee respect for privacy.

The processing register is a compass: it enables the company to estimate the impact of the RGPD on its organization and identify the actions to be deployed.

The supervisory authority needs to have a clear view of your register.

Your register must therefore answer the following questions:

• Who? The register identifies the parties responsible for data processing at each stage, such as the data controller, internal employees or external service providers such as subcontractors;


• Who? You must specify the nature of the personal data used, and categorize it (civil status, professional background, etc.): this helps identify sensitive data such as health information, and therefore the risks involved;


• For what purpose? Indicate the purposes, describe the objectives, for what purposes the information is used: surveys, recruitment, monitoring, customer profiling, etc. ... ;


• How is it processed? Classify your data processing by purpose, for example, and detail the actions taken to secure the data;


• Where? The reader of your register must be able to identify the origin and destination of the data, and any transfers. The country and address of the host must be identifiable. Traceability, history and flows outside the European Union must be indicated.


• For how long? Determine the retention period for each item of information.

In a companion article, an RGPD expert explains how to keep a processing register with an example.

Step 3: Determine the priority actions to take

Your processing register reflects your situation with regard to the fundamental principles of the RGPD:

• consent,
• respect for privacy
• the right to be forgotten (de-indexing web pages that mention your data),
• the right to portability (recovering information and transferring it to another organization).

The risks are real when people's rights and freedoms are at stake.

Points to watch:

• the quantity and quality of data collected and processed are reasonable, necessary and secure in relation to the purpose of the processing,
• the legal basis for processing is identified (legal obligation, consent, contract, etc.),
• information and legal notices comply with GRPD requirements,
• you have informed your subcontractors and they demonstrate their ability to ensure a high level of confidentiality and security,
• you give people the means to exercise their rights to rectify information, access, override, consent and portability.

Depending on your shortcomings, you must make every effort to comply, but also be able to demonstrate your commitment to the right path.

Step 4: Conduct an impact analysis to manage risks

You've identified a risk: you're legally obliged to carry out a data protection impact analysis for each processing operation concerned.

This impact analysis, also known as a DPIA( Data Protection Impact Assessment ), consists of carrying out a complete study in order to :

• determine the cause of a risk and estimate the potential for non-compliance,
• improve data processing so that it respects people's rights,
• create the necessary technical and organizational conditions,
• prove that a risk has been eliminated.

The impact analysis of a processing operation presenting a risk enables us to find the best solution to prevent any data leakage, whether sensitive or not.

Your DPIA is used to assess the impact of a processing operation on privacy. This analysis must describe the processing and its purposes, assess the merits of the processing in light of its purpose, identify the risks and detail the actions to be taken to remedy them.

An impact analysis is an excellent way of verifying the compliance of a processing operation, and helps to warn of a risk before the data is exposed: this is why it is strongly recommended to carry out an impact analysis upstream of the processing operation.

Processing sensitive data is an example of processing that requires an analysis: political or religious opinions, any information relating to health, racial origins, information on minors, etc.

Other sources of risk :

• poor data backup or hosting procedures,
• obsolete or faulty hardware, software vulnerability,
• cyber-attacks, malware,
• lack of data encryption.

All parties involved in the processing operation must participate in the impact analysis: the data controller, the information systems security manager, the data protection officer and subcontractors.

Important: the people who are the subject of the processing operation can be very helpful in giving their opinion on their experience of the processing operation.

Step 5: Deploy appropriate internal procedures

To guarantee the best possible data protection and maintain it over the long term, you need to mobilize all your resources, raise employee awareness, integrate best practices and finally implement them.

3 processes guarantee compliance and determine whether you need to consider a total or partial overhaul of your internal organization:

• your technological capabilities,
• employee training,
• the means by which people can exercise their rights.

Scrutinize your technologies:

• anticipate incidents and estimate its ability to react to risks such as a change of host, a security breach, a request for rectification, etc. ;
• adopt a Privacy by Design approach. This involves integrating and guaranteeing a high level of security and respect for privacy, right from the design stage of a technology intended for data processing;
• constantly monitoring technological and legal developments.

Train your teams :

• Compliance begins with awareness. Every employee must be informed and made aware of the issues through a training program;
• a fluid organization that encourages communication is needed to ensure that important information is passed on in real time;
• a charter of best practices, specifying sanctions, appropriate behavior and useful advice, helps to better guide employees and make them more accountable.

Give data owners the means to exercise their rights:

• every individual must be able to access and rectify his or her information, object to its use, benefit from the right of portability (...); you must be able to deal with all these requests;
• each person can exercise his or her rights via the Internet, in particular by clearly identifying the procedures to be followed and the contact person;
• in the event of a data breach, the owner must be notified as soon as possible, and the supervisory authority (CNIL) within 72 hours.

Step 6: document compliance

The data controller must demonstrate compliance with the RGPD by providing documentary evidence of all the procedures put in place.

This is the principle of accountability. The aim is to make companies accountable and to encourage them to commit to respecting the legal framework imposed by the General Data Protection Regulation.

EDM, or electronic document management, plays an important role in the RGPD: the table below lists the long list of documents to be drawn up and kept.

RGPD and marketing: an expert explains why consent is an opportunity to forge a more qualitative customer relationship and add value to data.

Solutions and technologies for compliance

Your RGPD audit

To make your digital transition a success, here are 4 types of "friendly" RGPD audits that some service providers, such as an outsourced DPO, already offer on the market:

• CNIL audit: experts map your processing operations, compare them with CNIL requirements and draw up a compliance action plan;


• Compliance audit: this audit brings together the CNIL requirements and also recommends actions and terms for IT system security, following tests;


• Subcontractor audit: a professional examines the reputation of a subcontractor with its customers, ensures compliance, assesses the risks associated with data transfer, and provides a report backed up by recommendations;


• Website audit: this enables us to detect vulnerable aspects, update general sales conditions and forms, for example, and check that marketing tools are compliant.

Any DPO worthy of the name will anticipate your requests for documentation.

Advice: as you need to provide evidence of your compliance and the resources committed, consider requesting commitment clauses on the resources implemented, as well as documentation (which you must be able to provide to the supervisory authority following each audit).

Good to know: in the opinion of a specialist, the success of an RGPD audit depends on the code of conduct adopted by the company.

Best practices: security techniques

Faced with the threat of data leakage or loss, the IT security manager or DPO can offer their expertise to the company responsible for data processing.

Under the European Data Protection Regulation, sensitive data must be processed by encryption, pseudonymization or anonymization.

We've noted a few technical solutions to help you think through your action plan to achieve a level of security that meets the requirements of the RGPD:

• You can set up a procedure for automatic detection of personal data in your information system and immediately encrypt data by encryption, anonymization, pseudonymization ;


• The regulation imposes data traceability: it is essential to provide a permanent history of applications connected to identities to better control access or protect email addresses, for example ;


• The PAM process (Pluggable Authentication Modules) secures access management by separating it from the software process requiring authentication;


• To prevent and limit the leakage of sensitive data, DLP (Data Loss Prevention) techniques are recommended: they offer the possibility of detecting, controlling and protecting each piece of data by analyzing it;


• Apply the SIEM (security information and event management) principle to manage information events in complete security (collection, normalization, correlation, etc.).

The end of CNIL labels and certifications

On February 23, 2018, the CNIL announced the end of CNIL labels and the gradual introduction of certifications and reference systems:

CNIL is introducing a new compliance tool, certification, and is gradually phasing out its labeling activity. (...)

Certifications will be issued by certifying bodies approved by the CNIL or accredited by the national accreditation body (COFRAC). (...)

Certification of Data Protection Officers is currently being developed: certification bodies approved by the CNIL will issue DPO certifications, based on a set of guidelines drawn up by the CNIL.

Professionals and companies familiar with the following standards - or who have already embarked on a process that professionalizes their approach to personal data protection - therefore present undeniable advantages for data controllers who need help to comply with the RGPD:

• Expert lawyers in information security and privacy law;


• AFNOR's AFAQ Protection des données personnelles certification , which provides proof of the technical and organizational means implemented to comply with the RGPD ;


• Holders of the CNIL Gouvernance Informatique et Libertés label demonstrate an excellent approach to personal data management;


• ISO/IEC 27001 certification from AFNOR is proof of your skills in identifying sensitive data, and of your ability to propose security solutions.

Data protection specialists, professionals or companies who have obtained demanding certifications or labels in digital security and trust are also proof of a "friendly" GRPD approach already in place:

• Trust service providers certified by AINSSI and registered on the list of service providers recognized by France's Agence nationale de la sécurité des systèmes d'information;


• Trusted service providers who have obtained an eIDAS compliance certificate;


• The France Cybersecurity label represents a guarantee in terms of digital confidence, with particular emphasis on the quality of functionalities for users;


• Companies that have obtained the security label issued by the conformity assessment body LSTI, which testifies to compliance with French, European and international security standards;


• Organizations certified by Cloud Confidence, the benchmark for data protection transparency;


• Hosting providers who have obtained ISO 27001:2013 certification (an international benchmark), which guarantees data integrity, confidentiality and traceability;


• Companies displaying TRUSTe certification offer a guarantee of data confidentiality on the Internet.

Warning: all the certifications listed are likely to evolve and some will certainly change their names in order to be officially recognized by the CNIL and respect the RGPD framework to the letter.

Software for GRPD compliance

Compliance Booster: complete platform supplied with or without DPO

Compliance Booster online software (SaaS) meets all the requirements of the European regulation.

It brings together all the tools and resources you need within the same platform to become GRPD compliant:

• computerized documentation to prove your committed processes,
• a data and processing register,
• an integrated legal department,
• the services of a Data Protection Officer (DPO),
• proof of consent is sent within 72 hours to the competent supervisory authority in each European country,
• data hosting in France,
• financial risk coverage of up to €90 million in the event of an error by Compliance Booster.

Discover the RGPD compliance platform in video :

Compliance Booster also offers the possibility of conducting its RGPD audit as well as its impact analysis: risk assessment, inventory of processing and data, including sensitive data to better anticipate the solutions to be implemented and avoid data loss or leakage.

The Compliance Booster solution covers the entire spectrum of GRPD compliance, and enables you to outsource your data protection officer by calling on the services of specialized lawyers.

Have you already found your DPO? The platform is perfectly suited to the data protection-savvy user!

What's more, Compliance Booster's design was thought through upstream by data protection managers for companies: the founders testify to 30 years of practice in terms of data protection, information security and compliance with privacy laws.

Axeptio: the Opt-in that makes marketing RGPD-compliant

• user data is stored anonymously, securely and certified,
• you retain proof of consent with traceability over time,
• the solution provides full documentation on protection measures and procedures,
• data is hosted in France.

In particular, the solution offers a data and consent encryption system that protects user data:

Only the data controller holds the key to identifying the user who has given consent.

Benefits for all those involved in marketing:

• a GRPD-compliant Opt-in solution for collecting information from potential customers,
• the solution communicates with your CRM, ERP and marketing automation software,
• Axeptio is available as a plugin compatible with CMS and e-commerce platforms such as PrestaShop, WordPress, Drupal, Magento, shopify.

Captain DPO: a collaborative platform for DPOs

Captain DPO puts the emphasis on collaborative working: the Data Protection Officer (DPO) can mobilize all stakeholders concerned by data protection.

Captain DPO is a collaborative tool that enables the DPO to implement fluid project management.

Captain DPO offers a range of invaluable collaborative functions for the compliance officer.

All those involved in the process, including information systems security officers, subcontractors and data controllers, work together.

The DPO can gather evidence and give instructions within the solution.

Discover Captain DPO in video :

Tools integrated into the software :

• RGPD audit and impact analysis,
• mapping of applications connected to data,
• register of processing and data,
• document management,
• complete user rights management,
• real-time notifications and alerts,
• mandatory documentation included,
• insurance covering data loss,
• data hosting in France.

See all software General Data Protection Regulation (GDPR)

Penalties if you're not GDPR-compliant

The legal provisions on fines are heavy on any organization that fails to comply with the GDPR.

Indeed, any data collection - as well as any use, processing, etc. - that does not comply with the rules of the General Data Protection Regulation will result in a penalty.

Any entity failing to comply with the GRPD can be fined up to 4% of worldwide annual sales, or 20 million euros.

In the event of a breach of the European regulation concerning their data, any citizen can assert their rights and claim compensation for the damage(s) suffered. If the breach of the RGPD is proven, the damages can have far-reaching consequences: in addition to a "hefty" fine, it's a bad image that will come to mar the reputation of the entity in question.

In a context where the company responsible for processing must be able to provide all evidence, such as the processing register, impact analysis, proof of consent (...), an RGPD compliance solution provides valuable assistance both to the company and to the data protection officer.