search
Where Thought Leaders go for Growth
Reference a solution

RGPD Compliant: how can you protect your company's personal data?

RGPD Compliant: how can you protect your company's personal data?

By Jennifer Montérémal

Published: 28 October 2024

Personal data, European standards, explicit consent... Enough to give cold sweats to those who regard the legal rules as an indecipherable enigma 📚🤔.

Don't panic: here's our advice to help you become RGPD Compliant. Spoiler: compliance is not a burden, but a real lever for growth!

Step 1: Keep an RGPD Compliant data processing register.

The data processing register is a document designed to analyse and record personal data within the company, including that held by data controllers and processors.

In this way, you can identify who has access to the data and for what purposes.

Gather details of each RGPD Compliant processing activity

The data collected in this register focuses in particular on :

  • the purpose of each processing activity;
  • the categories of personal data processed
  • the recipients of the data
  • data transfers outside the EU;
  • the security measures in place.

☝️ Note that the General Data Protection Regulation (GDPR) requires this register to be kept up to date and made available to the authorities. Its format must be comprehensible and easy to access in the event of a consultation request.

Mandatory information to be included in the register

The RGPD Compliant register contains detailed information on each personal data processing activity carried out by the company. According to the Commission nationale de l'informatique et des libertés (CNIL), it must include :

  • the contact details of the data controller (RT) as well as those of the data protection officer (DPO) if the company appoints a DPO;
  • a precise and detailed description of the reasons why you are processing the data;
  • the categories of personal data processed
  • the categories of data subjects affected by the processing
  • the recipients or categories of recipients of the data;
  • any transfers of data to third countries, and the guarantees governing such transfers;
  • how long the data is kept, in accordance with regulatory requirements;
  • the technical and organisational processes put in place to guarantee security and limit the risks of infringement of fundamental freedoms.

💡 You should be aware that model activity registers are available from the CNIL, the Chambers of Commerce and Industry (CCI) and the government portal France Num. You can also use specialised tools.

For example, with Witik, an RGPD compliance platform, in just a few clicks you can create personalised registers to suit your specific requirements, using a database designed and developed by an experienced law firm. In addition to this, the software supports you in other aspects of your RGPD Compliant: carrying out audits, managing consents, data security, etc.

Step 2: Sorting and categorising personal data to ensure RGPD compliance

The RGPD requires transparency and compliance in the processing of personal data. To achieve this, you need to identify all processing activities, then sort and categorise them.

On the one hand, you guarantee your compliance with the RGPD and reduce the risk of confusion during inspections by the CNIL or other competent authorities. On the other hand, you improve the collection, use, storage and protection of users' personal data.

The different types of sensitive data

The RGPD distinguishes between ordinary personal data and sensitive data. Sensitive data includes information relating to:

  • health
  • ethnic origin
  • political opinions
  • religious beliefs
  • sexual orientation ;
  • and other aspects of the individual's private life.

The GDPR prohibits the processing of such data unless it is justified by a specific legal basis, such as the explicit consent of the data subject or where it is necessary to protect his or her vital interests.

👉 Before processing sensitive data, the consent of users must be obtained, and additional security measures must be put in place to ensure their protection.

RGPD Compliant data sorting and retention methods

To help businesses, the France Num portal offers a classification model based on the level of sensitivity of the data:

  • Level 1: data that is not particularly sensitive. For example, business contact details;
  • Level 2: data that presents a moderate security risk. E.g. transaction data (order number, amount, date, etc.);
  • Level 3: sensitive data that presents a high risk for the people concerned. For example, financial data such as credit card numbers.

The higher the level, the greater the care and protection required.

It is also imperative to determine appropriate retention periods for each type of data, depending on the time required to achieve the initial purpose for which it was collected. Once this period has elapsed, it must be securely deleted.

Step 3: Guaranteeing and facilitating the exercise of users' rights

Your company's RGPD compliance means respecting individual rights to personal data.

Individual rights at the heart of RGPD Compliant

Users have the right to request access, rectification, deletion and portability of their personal data. They can also object to or limit the processing of their data.

What are the main individual rights?

  • The right of access means that users can ask the company for the personal data it holds about them. If this data is incorrect or inaccurate, the user may request that it be rectified or updated.

  • The right to the deletion of personal data allows the user to ask the company to delete it in certain circumstances, such as when it is inaccurate, unnecessary or when the user withdraws consent.

  • The right to data portability gives users the right to transfer their personal data from one company to another.

✅ The full list of rights is available on the CNIL website.

You have a maximum of 30 days to respond to user requests.

Implement clear procedures

To enable users to exercise their personal data rights, you must :

  • ensure the authenticity of the request and the confidentiality of the information provided ;
  • put in place rapid processes for responding to requests to exercise these rights.

To help companies in this process, the CNIL is offering a comprehensive 4-step guide to better understand the specificities of people's rights. The recommendations include

  • setting up request monitoring tables ;
  • developing processes for checking and validating requests;
  • training employees to better understand these requests.

Step 4: Secure data and prevent risks

The security of personal data is a fundamental requirement for RGPD Compliant status. By ensuring that data is adequately protected, companies minimise the risks of infringement of the rights and freedoms of the people concerned.

Security obligations under the RGPD

RGPD compliance involves implementing appropriate security measures to ensure the protection of personal data.

You must therefore:

  1. Identify the risks to the data;
  2. Guarantee the integrity and quality of personal data throughout its processing (regular checks, security audits, etc.);
  3. Prepare incident response plans (intrusion detection mechanisms, etc.);
  4. Ensure that only authorised persons have access to personal data, using strong authentication mechanisms (strong passwords, biometric systems, encrypted data, etc.);
  5. Immediately report any incident to the CNIL.

☝️ Remember that failure to comply with the RGPD regulations is synonymous with (very) heavy fines and can amount to up to 4% of a company's annual turnover or €20 million, whichever is higher.

Penalties vary according to the seriousness of the offence, and range from warnings to compensation for the individuals concerned, suspension or withdrawal of the licence to operate, injunctions to stop the data processing concerned, etc.

Best practice in data security

Here are some of the best practices for becoming RGPD Compliant:

  • Carry out a risk assessment to determine the vulnerabilities of your system and the potential impact in the event of a security incident;

  • Appoint a Data Protection Officer, responsible for personal data management and RGPD compliance;

  • Implement confidentiality policies indicating how personal data is managed, processed and stored;

  • Make employees aware of best practices and privacy rules;

  • Check that the company's policies and procedures comply with the RGPD regulations (in particular via compliance audits);

  • Monitor the accounts of users at potential risk, such as those with access to the company's critical personal data, and put in place additional protection measures (access control, data encryption, etc.);

  • Regularly back up all personal data to ensure that information is not lost.

In the event of an actual or suspected breach, you may be required to notify the relevant authorities and potentially affected users within 72 hours.

The key points for becoming RGPD Compliant

The General Data Protection Regulation (GDPR) imposes strict standards on the protection of privacy and personal data. In this sense, being RGPD Compliant implies transparency, responsibility and continuity of data protection.

Although they may seem restrictive, data protection measures improve the quality of the user experience and ensure that their privacy is protected.

RGPD compliance software can make this easier. It enables you to protect your customers' personal data while working in a secure environment.

Article translated from French