RGPD Compliant: how to protect your company's personal data?

Personal data, European standards, explicit consent... Enough to give cold sweats to those who regard legal rules as an indecipherable enigma 📚🤔.

Don't panic: here are our tips to help you become RGPD Compliant. Spoiler: compliance is not a burden, but a real lever for growth!

See all software General Data Protection Regulation (GDPR)

Step 1: Keep an RGPD Compliant data processing register.

The processing register is a document designed to analyze and record personal data within the company, including those under the control of data controllers and processors.

In this way, you can identify who has access to the data, and for what purposes.

Gather details of each RGPD Compliant processing activity

The data collected in this register focuses in particular on:

• the purpose of each processing activity;
• the categories of personal data processed
• data recipients;
• data transfers outside the EU;
• security measures in place.

☝️ Note that the General Data Protection Regulation (GDPR) requires this register to be kept up to date and made available to the authorities. Its format must be comprehensible and easy to access in the event of a consultation request.

Mandatory information to be included in the register

The RGPD Compliant register contains detailed information on every personal data processing activity carried out by the company. According to the Commission Nationale de l'Informatique et des Libertés (CNIL), it must include:

• the contact details of the data controller (RT), as well as those of the data protection officer (DPD) if the company appoints a DPD;
• a precise and detailed description of the reasons why you are processing the data;
• the categories of personal data processed;
• the categories of persons concerned by such processing;
• the recipients or categories of recipients of the data;
• any data transfers to third countries, and the guarantees governing these transfers;
• data retention periods, in compliance with regulatory requirements;
• the technical and organizational processes put in place to guarantee security and limit the risks of infringement of fundamental freedoms.

💡 Be aware that model activity registers are made available by the CNIL, the Chambers of Commerce and Industry (CCI) or the government portal France Num. You can also rely on specialized tools.

For example, with Witik, an RGPD compliance platform, in just a few clicks you create customized registers according to your specificities, from a base designed and thought out by an experienced law firm. In addition to this, the software supports you in other aspects of your RGPD Compliant: carrying out audits, managing consents, data security, etc.

Step 2: Sort and categorize personal data to ensure RGPD compliance

The RGPD requires transparency and compliance in the processing of personal data. To achieve this, you need to identify all processing activities, then sort and categorize them.

On the one hand, you guarantee your compliance with the RGPD and reduce the risks of confusion during controls framed by the CNIL or other competent authorities. On the other, you improve the collection, use, retention and protection of users' personal data.

The different types of sensitive data

The RGPD distinguishes between ordinary personal data and sensitive data. The latter includes information concerning:

• health ;
• ethnic origins ;
• political opinions
• religious beliefs;
• sexual orientation ;
• and other aspects of the individual's private life.

The GDPR prohibits the processing of such data, unless it is justified by a specific legal basis, such as the explicit consent of the data subject or when it is necessary to protect his or her vital interests.

👉 Before processing sensitive data, users' consent must be obtained, and additional security measures must be put in place to guarantee their protection.

RGPD Compliant data sorting and retention methods

To help companies, the France Num portal offers a classification model based on data sensitivity level:

• Level 1: data that has no particular sensitivity. For example, business contact details;
• Level 2: data presenting a moderate security risk. E.g.: transaction data (order number, amount, date, etc.);
• Level 3: sensitive data that presents a high risk to data subjects. E.g.: financial data such as credit card numbers.

The higher the level, the greater the care and protection required.

It is also imperative to determine appropriate retention periods for each type of data, according to the time required to achieve the initial purpose for which it was collected. Once this period has elapsed, data must be securely deleted.

Step 3: Guarantee and facilitate the exercise of users' rights

Your company's RGPD compliance involves respecting individual rights over personal data.

Individual rights at the heart of RGPD Compliant

Users have the right to request access, rectification, deletion and portability of their personal data. They can also object to or limit their processing.

What are the main individual rights?

• The right of access means that users can ask the company for the personal data it holds on them. If this data is incorrect or inaccurate, the user can demand that it be rectified or updated.
  
  
• The right to the deletion of personal data enables the user to ask the company to delete it in certain circumstances, such as when it is inaccurate, unnecessary or when the user withdraws his or her consent.
  
  
• The right to data portability gives users the right to transfer their personal data from one company to another.

✅ The full list of rights is available on the CNIL website.

You have a maximum of 30 days to respond to user requests.

Implement clear procedures

To enable users to exercise their personal data rights, you must :

• ensure the authenticity of the request and the confidentiality of the information transmitted;
• set up rapid processes for responding to requests to exercise these rights.

To help companies in this process, the CNIL offers a comprehensive 4-step guide to better understand the specifics of people's rights. These recommendations include

• setting up request tracking tables ;
• developing processes for checking and validating requests;
• training employees to better understand these requests.

Step 4: Secure data and prevent risks

Personal data security is a fundamental requirement for being RGPD Compliant. By ensuring that data is adequately protected, companies minimize the risks of infringement of data subjects' rights and freedoms.

Security obligations under the RGPD

RGPD compliance involves implementing appropriate security measures to ensure the protection of personal data.

You must therefore:

1. Identify risks to data ;
2. Guarantee the integrity and quality of personal data throughout its processing (regular checks, security audits, etc.) ;
3. Prepare incident response plans (intrusion detection mechanisms, etc.);
4. Ensure that only authorized persons have access to personal data, using strong authentication mechanisms (strong passwords, biometric systems, encrypted data, etc.);
5. Immediately report any incident to the CNIL.

☝️ Remember that failure to comply with RGPD regulations means (very) heavy fines and can be up to 4% of a company's annual sales or €20 million, whichever is higher.

Penalties vary according to the seriousness of the infringement, and range from warnings to compensation for the individuals concerned, suspension or withdrawal of authorization to operate, injunctions to cease the data processing concerned, etc.

Best practices in data security

Here are some of the best practices to apply to become RGPD Compliant:

• Carry out a risk assessment to determine your system's vulnerabilities, as well as the potential impacts in the event of a security incident ;
  
  
• Appoint a data protection officer, responsible for personal data management and RGPD compliance ;
  
  
• Deploy privacy policies indicating how personal data is managed, processed and stored ;
  
  
• Make employees aware of best practices and privacy rules ;
  
  
• Verify that company policies and procedures comply with RGPD regulations (including via compliance audits);
  
  
• Monitor potentially risky user accounts, such as those with access to the company's critical personal data, and implement additional protection measures (access control, data encryption, etc.) ;
  
  
• Regularly back-up all personal data to ensure that information is not lost.

In the event of a proven or suspected breach, you may be required to notify the relevant authorities and potentially affected users within 72 hours.

See all software General Data Protection Regulation (GDPR)

Key points to become RGPD Compliant

The General Data Protection Regulation (RGPD) imposes strict standards for the protection of privacy and personal data. In this sense, being RGPD Compliant implies transparency, accountability and continuity of data protection.

Although they may seem restrictive, data protection measures improve the quality of the user experience and guarantee the protection of their privacy.

RGPD compliance software can facilitate this compliance. They enable you to protect your customers' personal data while working in a secure environment.