RGPD 2018: what you need to know to prepare your business

All our articles on the RGPD :

• The views of 3 experts (Google, Crayon, Infoclip)
• Who is affected by the new regulations?
• The must-read file on compliance is here.
• Consult the opinion of an expert:
  • The RGPD audit as seen by Alexis Quentrec, RGPD specialist, Nuageo
  • A boon for marketing managers, according to Olivier Martineau, CEO, Spread
  • An example of a data processing register by Alain Garnier, CEO, Captain DPO
  • The obligations of data processors, according to Fabrice Perbost, Partner, Harlay law firm
  • Data anonymisation by Jérôme Chagnoux, GDPR Champion at Oracle
• The benefits of the GDPR, according to Julie Paci, Marketing Manager, Mailjet

What is the RGPD 2018? This is the General Regulation on the Protection of Personal Data, which comes into force on 25 May 2018 in the European Union. The CNIL makes it clear: people's rights have been strengthened and businesses must fulfil a number of obligations regarding data protection and processing to comply with the GDPR (General Data Protection Regulation).

appvizer gives you all the keys you need to understand this new law, the importance of IT security, and shares some compliance tools with you:

See all software General Data Protection Regulation (GDPR)

What is the GDPR?

Let's start by looking at the simplest concepts for understanding the RGPD and its general principle.

The RGPD in a nutshell

The acronym RGPD stands for General Data Protection Regulation. GDPR also stands for General Data Protection Regulation.

The GDPR is a European regulation laid down by the European Parliament and the Council of the European Union. It reforms the rules governing the processing of personal data.

This new law applies from 25 May 2018 to any company processing the personal data of a European person, whether or not that organisation operates within the European Union.

In summary, the GDPR:

• provides that an individual's consent is unconditional for the collection and processing of their data,
• sets out mandatory actions for companies to take to ensure compliance,
• imposes heavy penalties on any company that does not comply, and gives citizens the right to take legal action.

The right to control personal data

This regulation specifies and strengthens the rights of all Europeans:

• data portability: EU citizens must be able to take their data from one service and pass it on to another;


• transparency regarding the use of their data: EU citizens must be informed about how their data is used. They must be able to access their data and modify it as they wish;


• minors under the age of 16 are protected: on the Internet, all platforms must obtain the consent of a parent before their child can register;


• a protection authority: if citizens encounter a problem or notice an anomaly in the processing of their data, they can contact a single authority in their country to defend their rights;


• Penalties for companies that break the law: any company that fails to respect citizens' rights is liable to a fine of 4% of its worldwide turnover;


• the right to be forgotten: in accordance with the principle of respect for privacy, citizens can demand that a web page be removed from the results of a search engine (de-indexation of the page).

What data should be protected?

Whether collected and used via a secure online platform, on the internet or elsewhere, all personal data must benefit from the protection guarantees set out in the European regulation:

Data protection principles must be applied to any information concerning an identified or identifiable natural person.

Source: Directive 2016/680 of the European Parliament and of the Council on the RGPD published in the Official Journal of the European Union on 27 April 2016.

Examples of personal data to be protected under the RGPD:

• gender
• age
• telephone number
• email address,
• salary or remuneration,
• facial photograph,
• postal address,
• marital status,
• username and password,
• bank card number,
• social security number,
• whether you wear glasses (and the degree of correction),
• any physical characteristics,
• any psychological characteristics,
• etc.

Examples of sensitive information collected, for example to monitor or manage a place open to the public:

• political opinion
• trade union activity,
• religious (or agnostic) beliefs,
• sexual preferences,
• medical information,
• biometric analyses,
• criminal convictions,
• data concerning minors.

Any data collected for consumer profiling purposes must also be protected and fall within the framework of transparency imposed by law:

• data collected on the Internet via cookies,
• analysis of the behaviour of the internet user identified on the website (behavioural data),
• online or offline consumption habits,
• advertising retargeting,
• metadata concerning an individual
• etc.

Companies concerned

Regardless of its geographical location, any company is affected by the GDPR from the moment it processes the personal data of a European. The law makes no distinction between a company operating in Europe and a company based outside the European zone that collects and processes the data of a European citizen or a foreign citizen residing in Europe.

Am I affected by the RGPD?

Your organisation is affected if, in the course of your business, you use at least one of the following words: prospect, customer, employee, colleague, patient, taxpayer, citizen, user, user, member, donor.

Do you store data in CRM software, on an online platform or in a file?
Do you collect, process and use the private data of European citizens?

As the RGPD protects citizens, there is a 99.9% chance that you will be affected!

The European Regulations 2018 apply to the following businesses and organisations:

• local and regional authorities, administrations
• Companies (human resources managers, customer data processors),
• associations (professional, political, religious, etc.),
• hospitals and medical professionals,
• hosting companies,
• Cloud backup companies,
• data storage services,
• publishers of software or IT systems installed in companies,
• VSEs, SMEs, etc.

The parties responsible for protection

The law stipulates that all companies involved in any stage of data processing are responsible for data protection.

The supervisory authority in France is the CNIL. This body issues certifications, carries out checks and sanctions companies that fail to comply with the regulation.

Here are the main players who must be held to account at the CNIL's request:

• The company that uses personal data: it is responsible for processing and must adopt a transparent code of conduct, deploy compliant procedures and provide documentary evidence in the event of an inspection;


• The DPO (Data Protection Officer): this expert is appointed by the company to ensure the best possible data protection. The DPO's role is to provide independent support to ensure that the company complies with the RGPD;


• The subcontractor: the subcontractor's responsibility is engaged as soon as its activity is related to data processing; whether its head office is in Europe or elsewhere, it too must be compliant.

Compliance and obligations

To prepare your company for compliance with the RGPD, appvizer provides a detailed guide. Here are the main points.

4 articles to remember from the European law

Directive 2016/680 of the European Parliament and of the Council on the RGPD was published in the Official Journal of the European Union on 27 April 2016.

Through its articles of law, this official text of the RGPD regulation specifies important concepts:

• Article 4, "Principles relating to the processing of personal data", stresses in particular the lawful and fair aspects of processing, the relevance of the data collected in relation to the purpose of use, as well as reasonable retention of information over time (12 months).


• Article 28, "Prior consultation of the supervisory authority", states that the data controller is required to provide an impact assessment to its supervisory authority on request. This authority assesses the data protection conditions.


• Article 32, "Appointment of the data protection officer", requires all companies to appoint a data protection officer (in addition to the data controller) who is well versed in technical issues and rights, and capable of reporting to the supervisory authority to which he or she reports.


• Article 37, "Transfers subject to appropriate safeguards", stresses that the transfer of personal data to a country outside the European Union requires the data controller to inform the supervisory authority and provide it with documentation specifying the "appropriate safeguards" for data protection.

Mandatory actions and documents

These extracts from the European Regulation reflect some of the new obligations of the company responsible for data processing.

Under the new regulation, companies are given a greater sense of responsibility: they become data controllers and are required to document their compliance. This principle is known as Accountability.

Here are the main obligations to be honoured and documented in order to comply with the RGPD:

• Keep a register of data processing operations, including: the persons responsible, the nature of the data, the purposes, a classification of processing operations, the retention period, the flow and transfer of geographical data in order to establish data traceability;


• Carry out a Data Protection Impact Assessment (DPIA): this comprehensive study identifies the risks of data loss or leakage, their causes, and lists the resources and technical solutions required for protection and security;


• Implementing internal procedures: raising staff awareness and introducing best practice, putting in place all the mandatory processes that enable data owners to exercise their rights (rectification, portability, deletion, etc.);


• Deploying technologies that guarantee data confidentiality and security: all procedures must be detailed in writing, and it is strongly recommended that a high level of security and confidentiality be built in from the design stage of a processing operation and related technology. This approach is known as Privacy by Design;


• Supervising the transfer of data outside the European Union: checking contracts with subcontractors and suppliers, ensuring that they comply with RGPD standards in order to avoid any risk;


• Keep proof of consent from consumers or users;


• Detail the procedures established in the event of data breaches: you are required to notify the person concerned as quickly as possible and to notify the supervisory authority within 72 hours.

Penalties

While the fines are high, we must not forget the damages that every citizen can claim: in addition to the financial loss, the repercussions on the company's image can destroy its reputation, and mathematically reduce its activity as a result of the loss of customer confidence.

The amount of the fine

In this case, the fine can be as high as €10 million: if the supervisory authority finds that the company has not fulfilled its obligations, such as conducting an impact assessment (DPIA), keeping a register of data processing operations, implementing security processes (including for its subcontractors) or adopting the Privacy by Design approach, the company in question is liable to a fine equivalent to 2% of its annual worldwide turnover.

In this case, the fine may be as high as €20 million: if the supervisory authority finds that the company is not fulfilling its obligations on the principle of consent and is not respecting people's rights, the fine will be 4% of annual worldwide turnover.

The position of the CNIL

In an article in Les Echos (dated 18/02/2018), Isabelle Falque-Pierrotin, President of the Commission Nationale de l'Informatique et des Libertés, provides the following clarifications on the CNIL's control strategy:

We are going to be pragmatic and flexible. There are a number of principles in the GDPR that are not new. For example, the obligation to specify the purposes for which personal data is collected, or the limits on how long data can be retained. We will be checking these points on 26 May, as we did on 12 April. On the other hand, when it comes to new principles or tools, such as the right to data portability from one service to another, data protection officers or the processing register, we will adopt a supportive stance. Our aim will not be to immediately sanction breaches of new obligations linked to the RGPD. This will certainly last for the duration of 2018. After that, we'll see.

Compliance tools

In 2018, the CNIL will be conciliatory with companies that demonstrate good faith. The important thing is to start the process and give yourself the means to honour the requirements demanded by the regulation. Here are some RGPD compliance solutions to achieve the goal with peace of mind. Find out more.

ORYGA: governance of personal data

• the purposes of processing are aligned with your personal data governance,
• pre-filled processing forms according to purpose to save time,
• integration of the privacy by design approach into the solution,
• traceability of data and requests to exercise rights,
• detailed security processes,
• integrated event and risk management.

Compliance Booster: compliance solution with on-demand DPO

• impact assessment (DPIA),
• the data processing register,
• outsourcing your DPO (specialist lawyers),
• storage of proof of consent,
• transmission of proof of consent to the CNIL within 72 hours,
• fully computerised and traceable documents listing your security processes.

Confidence-building argument: Compliance Booster covers the financial risk of up to €90 million in the event of an error for which it is responsible.

Privacil-DMPS: compliance tool for DPOs

• DPIA summaries to determine the priority actions to be taken,
• a synoptic view of completed and forthcoming actions,
• simplified procedures for managing access to and exercising rights over personal data,
• the purposes of processing are determined
• procedures for restriction or destruction are provided for in the event of a request.

Notification to the CNIL within 72 hours in the event of a data breach may contain additional information, such as the name and contact details of the DPO, the nature of the breach and the people concerned, the consequences and potential risks, and the initiation of appropriate procedures.

See all software General Data Protection Regulation (GDPR)

Long-term benefits

The advantages of the RGPD for a company or organisation are beneficial when all aspects of the regulation are considered in the long term.
A summary of the benefits to come.

A new era of trust

This requirement for security that gives power back to the consumer will inspire trust:

• consumer trust in responsible companies that respect people's rights when it comes to their data,
• trust between businesses, which are now relying on common standards.

A new business climate

Transparency will create a new climate of trust conducive to business.

Companies that assume their responsibilities project a positive image and win the loyalty of their customers. Purchasing behaviour and the opinions expressed on the web and social networks will direct choices towards the most transparent and respectful companies.

This will mark the end of opaque businesses where the management of personal data is not taken seriously.

What's more, trade barriers between European Union countries - and this also includes companies outside the European Union, as the subject of the RGPD is very much in vogue in the USA - will come down as a result of common processing compliance rules.

Reduced costs

What did we do before the RGPD? We multiplied our compliance costs by 28 countries (28 different laws). The RGPD will simplify the current IT imbroglio.

The common standard will lead to the detection and elimination of "duplicate" processes and applications. As a result, resources and operational processes will be rationalised, resulting in budget savings.

More effective marketing

All digital marketing actions will automatically benefit from :

• up-to-the-minute personal data- no more inaccurate information,
• Proven consent, which will improve the targeting and effectiveness of email campaigns in particular,
• centralised data processing- no more different versions of customer files

Ultimately, the marketing department will save time, refine its segmentation and implement better customer acquisition campaigns.