RGPD: 6 key steps and 3 tools to ensure compliance

Preparing to comply with the GDPR as a responsible business raises many questions that revolve around the security, confidentiality and traceability of personal data.

Would you like to understand the General Data Protection Regulation, which comes into force on 25 May 2018, what's changing for professionals, and meet your new obligations?

appvizer outlines the steps recommended by the CNIL and enhances them with solutions for complying with the GDPR (General Data Protection Regulation) :

See all software General Data Protection Regulation (GDPR)

GDPR compliance: what the law says

Companies affected in Europe and elsewhere

The General Data Protection Regulation defends the rights of European citizens and naturally applies to any company processing data in one or more of the member countries of the European Union.

The GDPR also requires companies to respect the rights of non-European citizens whose data is collected and processed within the European Union.

Consequently, processors based outside the EU must comply with the GDPR:

• if they are involved in processing the data of European citizens,
• if they are involved in processing the data of a non-EU citizen, but whose data is collected within the European Union.

All websites based outside the EU that are aimed at European citizens must comply with the GRPD, particularly sites that offer versions in French, German, Italian or Spanish and display prices in euros. On the other hand, personal data must be hosted in countries offering the same level of guarantees as the European Union.

There are no territorial restrictions on the hosting of personal data. However, any hosting provider, whether European or not, must comply with very specific requirements and conform to the framework defined by the RGPD. The Privacy Shield agreement with the United States, for example, ensures the very high level of security and confidentiality required by the European regulation.

The main compliance officers

The European regulation considers that all parties involved in one or more data processing operations share responsibility for data protection:

• The data controller : this is the company that uses the personal data. It is required to initiate processes and draw up documents setting out its code of conduct, internal data protection policy and certifications;
• The data protection officer: this is a professional who is experienced in the uses and security measures relating to information and communication technologies. They are one of the guarantors of data protection. He or she is capable of guiding the company on the best practices to adopt so that the company complies with the regulation. The role of the Data Protection Officer is described in more detail below;
• The CNIL is the supervisory authority in France: it certifies the compliance of companies and enforces the regulation on the processing of personal data. On request, it can ask for the documentary evidence that companies must keep available (detailed below). In the event of non-compliance, the company is liable to penalties;
• Subcontractors: from the moment a service provider or supplier becomes involved in the data processing process at the request of the company responsible for the processing, the subcontractor becomes responsible. The subcontractor is therefore required to meet precise specifications to guarantee the security, confidentiality and deletion of the data, in other words, to comply with the GRPD.

A lawyer explains the subcontractor's compliance with the RGPD and the 8 obligations to be met in a companion article.

The criteria for lawful data processing

Article 8 of Directive 2016/680 of the European Parliament and of the Council on the RGPD stipulates two points:

(1) Member States shall provide that processing is lawful only if and insofar as it is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and it is based on Union law or the law of a Member State;

2. A provision of the law of a Member State which regulates processing falling within the scope of this Directive shall specify at least the purposes of the processing, the personal data to be processed and the purposes of the processing.

To supplement these elements of the official text, Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council, mentioned by the CNIL on its website, specifies the lawfulness of the processing:

Processing is lawful only if, and insofar as, at least one of the following conditions is met:

a) the data subject has consented to the processing of his or her personal data for one or more specific purposes ;

b) processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request; or

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.


Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

To illustrate point "d)": hospital information systems need to collect health information about a patient in order to treat him or her. This data processing is therefore lawful.

6 steps to making your company compliant

Step 1: Appoint a Data Protection Officer (DPO)

As a data controller, you are required to appoint a Data Protection Officer( DPO).

The role of the DPO is to support your organisation by managing the governance of the personal data for which you are responsible.

The Data Protection Officer is an impartial point of reference, a conductor who does everything possible to inform you, advise you and monitor compliance internally.

They supervise and work in complete independence. It is possible to bring this function in-house, as in public institutions, or to outsource it:

• with a specialist service provider such as a lawyer or an independent DPO,
• The current CIL (Correspondant Informatique et Libertés) can become the DPO and see the scope of its responsibilities expand.

The duties of the DPO :

• providing information and advice to all professional stakeholders: the company responsible for the processing, its internal employees, and also external parties such as subcontractors;
• assessing and verifying compliance with the obligations of the RGPD ;
• recommendations for carrying out your impact assessment;
• monitoring the implementation of this study;
• working with the supervisory authority: the DPO is the dedicated contact.

Duties:

• keep abreast of all legal constraints and developments,
• study and observe what data is processed and how,
• provide a status report,
• raise awareness among managers of all the implications of the European regulation,
• implement actions to engage managers,
• manage the implementation of compliance and monitor it over time.

Skills :

• mastering IT rights and freedoms
• understanding how information and communication technologies work,
• negotiating skills,
• a flair for communication,
• experience in project management.

Certification of your expertise is recommended in terms of accountability: this is the principle of responsibility that requires companies to be able to prove their compliance with the RGPD through various documents and means.

Step 2: Keep a register of processing operations and assess the impact of the RGPD

This is an obligation and legal proof: your data processing register can be consulted on simple request from the CNIL.

This register proves its usefulness because it enables a company to:

• map the processing of personal data,
• have a clear view of data security,
• draw up a complete and detailed review of procedures,
• determine what actions need to be taken to guarantee respect for privacy.

The data processing register is a compass: it enables companies to estimate the impact of the RGPD on their organisation and identify the actions to be taken.

The supervisory authority must have a transparent view of your register.

Your register must therefore answer the following questions:

• Who? The register identifies the parties responsible for data processing at each stage, such as the controller, internal employees or external service providers such as sub-contractors;


• Who? You must specify the nature of the personal data used and categorise it (civil status, professional background, etc.): this will help identify sensitive data such as health information, and therefore the risks involved;


• For what purpose? Indicate the purposes, describe the objectives, for what purposes the information is used: surveys, recruitment, surveillance, customer profiling, etc. ;


• How is it used? Classify your data processing by purpose, for example, and detail the measures taken to secure the data;


• Where? The reader of your register must be able to identify the origin and destination of the data and any transfers. The country and address of the host must be identifiable. Traceability, history and data flows outside the European Union must be indicated.


• For how long? Determine the retention period for each item of information.

In a companion article, an RGPD expert explains how to keep a processing register, with an example.

Step 3: Determine the priority actions to take

Your register of processing operations reflects your situation with regard to the fundamental principles of the RGPD:

• consent
• respect for privacy
• the right to be forgotten (de-indexing web pages that mention your data),
• the right to portability (recovering information and transferring it to another organisation).

The risks are real when people's rights and freedoms are at stake.

Points to watch :

• the quantity and quality of the data collected and processed are reasonable, necessary and secure in relation to the purpose of the processing,
• the legal basis for the processing is identified (legal obligation, consent, contract, etc.),
• the information and legal notices comply with the requirements of the GRPD,
• you have informed your subcontractors and they demonstrate their ability to ensure a high level of confidentiality and security,
• you provide individuals with the means to exercise their rights of rectification, access, deletion, consent and portability.

Depending on your shortcomings, you must do everything you can to comply, but you must also be able to demonstrate that you are on the right track.

Step 4: Conduct an impact assessment to manage the risks

You have identified a risk: you are legally obliged to carry out a data protection impact assessment for each processing operation concerned.

This impact assessment, also known as a DPIA( Data Protection Impact Assessment ), consists of carrying out a complete study in order to :

• determine the cause of a risk and estimate the potential for non-compliance
• improve data processing so that it respects the rights of individuals,
• meet the necessary technical and organisational conditions
• prove that a risk has been eliminated.

The impact analysis of a processing operation presenting a risk enables the best solution to be found to prevent any data leakage, whether sensitive or not.

Your DPIA is used to assess the impact of a processing operation on privacy. This analysis must describe the processing and its purposes, assess whether the processing is justified in view of its purpose, identify the risks and detail the actions to be taken to remedy them.

An impact assessment is an excellent way of verifying the compliance of a processing operation, and helps to warn of a risk before the data is exposed: this is why it is strongly recommended that an impact assessment is carried out before the processing operation is put in place.

The processing of sensitive data is an example of processing that requires an analysis: political or religious opinions, any information relating to health, racial origins, information on minors, etc.

Other sources of risk :

• poor data backup or hosting procedures,
• obsolete or faulty hardware, software vulnerability,
• cyber-attacks, malware,
• lack of data encryption.

All the parties involved in the processing operation must take part in the impact analysis: the data controller, the information systems security officer, the data protection officer and the subcontractors.

Important: people who are the subject of processing can be very helpful by giving their opinion on their experience of the processing.

Step 5: Deploy appropriate internal procedures

To guarantee the best possible data protection and maintain it over the long term, you need to mobilise all your resources, raise awareness among your staff, incorporate good practice and finally apply it.

3 processes guarantee compliance and determine whether you need to consider a total or partial overhaul of your internal organisation:

• your technological capabilities,
• the training of your staff
• the means by which individuals can exercise their rights.

Screen its technologies:

• consider incidents and estimate its ability to react to risks such as a change of host, a security breach, a request for rectification, etc. ;
• adopt a Privacy by Design approach. This involves integrating and guaranteeing a high level of security and respect for privacy right from the design stage of a technology intended for data processing;
• constantly monitoring technological and legal developments.

Train your teams:

• Compliance begins with awareness. Every employee must be informed and made aware of the issues through a training programme;
• A fluid organisation that encourages communication is needed to ensure that important information is passed on in real time;
• a charter of good practice specifying sanctions, appropriate behaviour and useful advice will help to guide employees and make them more accountable.

Give data owners the means to exercise their rights:

• Everyone must be able to access and rectify their data, object to its use, benefit from the right of portability (...); you must be able to deal with all these requests;
• each person can exercise his or her rights by Internet messaging, in particular by clearly identifying the procedures to be followed and the contact person;
• in the event of a data breach, the owner must be notified as soon as possible, and the supervisory authority (the CNIL) within 72 hours.

Step 6: Provide proof of compliance through documentation

The data controller must demonstrate compliance with the RGPD by providing documentary evidence of all the procedures put in place.

This is the principle of accountability. The aim is to make companies accountable and to encourage them to commit to complying with the legal framework imposed by the General Data Protection Regulation.

Electronic document management (EDM) plays an important role in the RGPD: the table below sets out the long list of documents that need to be drawn up and kept.

RGPD and marketing: an expert explains why consent is an opportunity to build a more qualitative customer relationship and make the most of data.

Solutions and technologies for compliance

Your RGPD audit

To make a success of your digital transition, here are 4 types of "friendly" RGPD audit that some service providers, such as an outsourced DPO, already offer on the market:

• CNIL audit: experts map your processing operations, compare them with CNIL requirements and draw up a compliance action plan;


• Compliance audit: this audit brings together the CNIL's requirements and also recommends actions and terms for IT system security, following tests;


• Subcontractor audit: a professional examines the reputation of a subcontractor with its customers, ensures compliance, assesses the risks associated with the transfer of data and provides a report backed up by recommendations;


• Audit of your website: this audit will identify vulnerable aspects, such as updating general terms and conditions of sale and forms, and checking that marketing tools are compliant.

Any DPO worthy of the name will anticipate your requests for documentation.

Advice: as you must provide proof of your compliance and of the resources you have committed, remember to ask for commitment clauses on the resources implemented, as well as documentation (which you must be able to provide to the supervisory authority following each audit).

Good to know: according to one specialist, the success of an RGPD audit depends on the code of conduct adopted by the company.

Good practice: security techniques

Faced with the threat of data leakage or loss, the IT security manager or the DPO can help the company responsible for data processing.

Under the European Data Protection Regulation, sensitive data must be processed by encryption, pseudonymisation or anonymisation.

We have noted a few technical solutions to help you think about your action plan for achieving a level of security that meets the requirements of the RGPD:

• You can set up a procedure to automatically detect personal data in your information system and immediately encrypt the data using encryption, anonymisation or pseudonymisation;


• The regulation requires data to be traceable: it is essential to keep a permanent record of applications connected to identities in order to better control access or protect email addresses, for example;


• The PAM (Pluggable Authentication Modules) IT process makes it possible to secure access management by separating it from the software process requiring authentication;


• To prevent and limit the leakage of sensitive data, DLP (Data Loss Prevention) techniques are recommended: they offer the possibility of detecting, controlling and protecting each piece of data by analysing it;


• Applying the principle of SIEM (security information and event management) to manage information-related events in complete security (collection, standardisation, correlation, etc.).

The end of CNIL labels and certifications

On 23 February 2018, the CNIL announced the end of CNIL labels and the gradual introduction of certifications and benchmarks:

The CNIL is introducing a new compliance tool, certification, and is gradually winding down its labelling activities. (...)

Certifications will be issued by certification bodies approved by the CNIL or accredited by the national accreditation body (COFRAC). (...)

Certification of Data Protection Officers is currently being developed: certification bodies approved by the CNIL will issue DPO certifications, based on a set of guidelines drawn up by the CNIL.

Professionals and companies familiar with the following standards - or who have already embarked on a process that professionalises their approach to personal data protection - therefore present undeniable advantages for data controllers who need help to comply with the RGPD:

• Lawyers who are experts in information security and privacy law ;


• AFNOR's AFAQ Protection des données personnelles certification , which provides proof of the technical and organisational measures taken to comply with the RGPD;


• Holders of the CNIL IT Governance and Freedoms label demonstrate an excellent approach to personal data management;


• ISO/IEC 27001 certification from AFNOR is proof of your skills in identifying sensitive data and your ability to propose security solutions.

Data protection specialists, professionals or companies with demanding certifications or labels for digital security and trust are also proof of a 'friendly' GRPD approach already in place:

• Trust service providers certified by AINSSI and registered on the list of service providers recognised by France's Agence nationale de la sécurité des systèmes d'information;


• Trusted service providers who have obtained an eIDAS compliance certificate;


• The France Cybersecurity label represents a guarantee in terms of digital confidence, with particular emphasis on the quality of functionalities for users;


• Companies that have obtained the security label issued by the conformity assessment body LSTI, which attests to compliance with French, European and international security standards;


• Organisations certified by Cloud Confidence, the benchmark for data protection transparency;


• Hosting providers that have obtained ISO 27001:2013 certification (an international benchmark), which guarantees data integrity, confidentiality and traceability;


• Companies with TRUSTe certification guarantee data confidentiality on the Internet.

Warning: all the certifications listed are subject to change, and some will certainly change their names in order to be officially recognised by the CNIL and comply fully with the RGPD.

Software for complying with the GRPD

Compliance Booster: a complete platform supplied with or without a DPO

Compliance Booster online software (SaaS) meets all the requirements of the European regulation.

It brings together all the tools and resources you need within the same platform to become RGPD compliant:

• computerised documentation to prove your committed processes,
• keeping a register of processing and data,
• an integrated legal department,
• the services of a Data Protection Officer (DPO),
• proof of consent is sent within 72 hours to the competent supervisory authority in each European country (a deadline imposed in France in particular),
• Data is hosted in France,
• financial risk cover of up to €90 million in the event of an error by Compliance Booster.

Discover the RGPD compliance platform in video:

Compliance Booster also offers the possibility of carrying out its own RGPD audit and impact analysis: risk assessment, inventory of processing and data, including sensitive data, to better anticipate the solutions to be put in place and avoid data loss or leakage.

The Compliance Booster solution covers the entire spectrum of GRPD compliance and enables you to outsource your data protection officer by calling on the services of specialist lawyers.

Have you already found your DPO? The platform is perfectly suited to users with data protection skills!

What's more, Compliance Booster was designed in advance by corporate data protection officers: the founders have 30 years' experience in data protection, information security and compliance with privacy laws.

Axeptio: Opt-in for RGPD-compliant marketing

• user data is stored anonymously, securely and certified,
• you retain proof of consent with traceability over time,
• the solution provides full documentation on protection measures and procedures,
• the data is hosted in France.

In particular, the solution offers a data and consent encryption system that protects user data:

Only the data controller holds the key to identifying the user who has given consent.

Benefits for all those involved in marketing:

• a GRPD-compliant opt-in solution for collecting information from potential customers,
• the solution communicates with your CRM, ERP and marketing automation software,
• Axeptio is available as a plugin compatible with CMS and e-commerce platforms such as PrestaShop, WordPress, Drupal, Magento and shopify.

Captain DPO: a collaborative platform for DPOs

Captain DPO gives pride of place to collaborative working: the Data Protection Officer (DPO) can mobilise all the stakeholders involved in data protection.

Captain DPO is a collaborative tool that enables the Data Protection Officer to implement fluid project management.

Captain DPO offers a range of invaluable collaborative functions for the compliance officer.

All those involved in the process, including the information systems security officer, subcontractors and the data controller, work together.

The DPO can gather evidence and give instructions within the solution.

Discover Captain DPO in video:

Tools integrated into the software :

• RGPD audit and impact analysis,
• mapping of applications connected to data
• register of processing and data,
• document management,
• full user rights management,
• real-time notifications and alerts,
• mandatory documentation included,
• insurance covering data loss,
• data hosting in France.

See all software General Data Protection Regulation (GDPR)

Penalties if you are not GDPR-compliant

The legal provisions on fines have far-reaching consequences for any organisation that fails to comply with the GDPR.

Indeed, any data collection - as well as any use, processing, etc. - that does not comply with the rules of the General Data Protection Regulation will result in a penalty.

Any entity that does not comply with the GRPD may be fined up to 4% of annual worldwide sales, or €20 million.

In the event of a breach of the European regulation concerning their data, all citizens can assert their rights and claim compensation for the damage suffered. If the breach of the RGPD is proven, the damages can have far-reaching consequences: in addition to a "hefty" fine, the reputation of the entity in question will be tarnished.

In a context where the company responsible for data processing must be able to provide all the evidence, such as the processing register, the impact analysis, proof of consent, etc., an RGPD compliance solution provides invaluable assistance both to the company and to the data protection officer.