After a first article presenting the main principles enacted or reinforced by the GDPR, FIDEXTRA offers you a fivefold process to identify priority axis of your compliance. This article is more specifically intended for the executive directors or managers of very small, small and medium sized enterprises (VSE-SME). The main goal is to help you to take concrete actions to comply with GDPR.
1- What to do with your old data?
Most of you were already collecting personal data before the enforcement of the GDPR and are concerned about the right to store it. Nothing in the new European regulation requires you to delete this data. However, the GDPR is a good opportunity to sort through the data collected because from now on you need to have a precise purpose when you collect and store data. For example, if you have collected all your customers’ dates of birth but it is not or no longer necessary for the service, delete them. Similarly, you must also delete data related to employees’ children if they are not useful to prepare the payroll or calculate social security contributions, or to collect the withholding tax.
In addition, if you process sensitive data (see previous article), you are required to carry out data protection impact assessments. A Privacy Impact Assessment (PIA) is carried out internally and is a document which gathers the following information:
–The data processed and the purpose of the processing;
–An assessment of the need to process this data;
–A risk assessment on the rights and freedoms of the people concerned;
–The measures proposed to overcome this risk.
If your processing of sensitive data has already been declared to the CNIL, you have three years to complete the PIA in your company.
Finally, these two principles are as well applicable to old data as new one. Always ensure that the process has a purpose before processing new data. Also, carry out impact assessments before setting up sensitive data processing.
2- How to make your website compliant?
The first point focuses on indirect data collection. You must add a banner informing internet users of the use of cookies by your website. This banner must clearly let know the purpose of the data processing by cookies must include a button “Accept” and a button “Decline” and must refer to the legal notices. Besides, it is necessary that your cookies provide for automatic deletion of the data collected after 13 months.
The second point is about direct data collection. It consists in the registration forms that the visitor completes willingly. This form must mention the storage period of this data and the purpose of its processing. The customer must give an explicit consent by ticking a box on this form (be careful not to tick boxes before, which would be a passive opt-in, liable to penalties). If you store your visitors’ IP addresses, you must inform them of this and reveal the purpose (statistics or cybersecurity).
For both types of collection, you must fill in a consent record with the following information: date and time of consent, identity of the users, method of collecting consent, information provided to the users prior to their consent. This record demonstrates the explicit consent from internet users.
You must also change the page about your legal notices and privacy policy. This must include the following items:
–Purpose of the data processing
–Physical location of data collected
–Storage period of data collected
–Details of who has access to this data (employees, subcontractors)
–Details of what the users consent to
–The legal elements that authorize the company to collect data (articles of the GDPR, database and privacy law (loi informatique et libertés), …)
–The security measures taken by the company for data protection
–The procedure to be followed by the users to withdraw their consent
–The procedures to be followed by the users to consult and/or receive their stored data
–The procedures to be followed by the users to rectify or delete the data collected.
For the last three points of the previous list, it is useful to make a link to the contact page of your website. You could mention an e-mail address and/or a phone number to be able to contact the person responsible for these actions in your company. As soon as users want to consult, receive, rectify or delete their data, you have one month to respect their rights. Beyond this time, they can refer to the CNIL.
Finally, according to the GDPR, you cannot restrict access to your service through the prior personal data collection. However, if you offer, for example, an online quote service, it seems normal that you need certain data to make it. That is why you could offer another way (phone number) to contact you for those who do not want you to collect their data via an online form.
3- What are the impacts of the GDPR on your company’s organization?
Firstly, you must know if you are obliged to appoint a DPO (cf. detailed information in the previous article). Even if the DPO is optional for your company, we advise you to appoint a GDPR manager. This manager will be responsible for exercising the rights of users concerning personal data (right of access, to rectification, to object, to be forgotten, to restrict processing and to data portability). You should also describe in a document the procedure for these rights to be respected. This must describe the process steps (as a flow chart for example) and mention the people responsible.
Secondly, in order to comply with the right to data portability, all the data collected automatically and with prior consent of the user must have a structured, commonly used and machine-readable format. For example, these formats can be XLS, XML, JSON or CSV.
4- How to secure your data?
When you collect data from your customers or employees, you commit to give access to only some people. This must be guaranteed in your company with a regulation of the rights of access to data collected. Thus, each employee must log in with a personal username and a complex password. Specific authorizations must be attached to personal username. For example, only those in charge of sales offers should have access to your customers’ dates of birth and only human resources employees should be able to access data on other employees.
Moreover, you should describe in a document your security measures (antivirus protection, data encryption, security of premises and access to servers) and the procedures in the event of a data breach. We remind you that with the GDPR you are obliged to inform people whose data you are collecting within 72 hours following the detection of a data breach.
Finally, it may be interesting to assess your cybersecurity with your usual IT service provider. We will provide more details in a future article about the growing importance of cybersecurity in all activities.
5- How to certify your compliance with the GDPR?
In the event of an inspection by the CNIL, you must be able to prove your compliance with the GDPR thanks to a folder which contains all the documents attesting your compliance. Thus, your folder must include the consent record, Privacy Impact Assessment, contracts with your subcontractors, procedures for the exercise of users’ rights, consent request matrix, user information statements and procedures implemented in the event of data breaches. If you have more than 250 employees, you have to fill in a record of data processing as described in the previous article. If you transfer data to countries outside the EU, you must also add to this folder the authorizations received from the CNIL and the guarantees from your subcontractor.
To conclude, the five points mentioned above, which are not exhaustive, are the priority axis to comply with GDPR. We advise you to be accompanied by the company that designed your website for its compliance and by the company that maintains your IT equipment for your cybersecurity. The CNIL also offers you examples of legal notices for your website, as well as blank record matrices. CNIL advisors can help you in this transition period.
