A few recommendations in 7 steps
By Giuliano Ippoliti, Cloud Temple CISO & Director of the Grand Ouest Agency
25 May 2018, the date of application of the European Data Protection Regulation (RGPD), is fast approaching. How can you best prepare for this deadline? What happens if a company has not yet taken the first steps towards compliance? It may seem anecdotal, but we've found that it's a very common occurrence, especially among medium-sized businesses.
The aim is not to pass judgement, but to provide pragmatic and effective advice on how to make the most of the few months that remain. Better late than never!
Of course, every company is already required to comply with the Data Protection Act: the RGPD represents an evolution, not a revolution.
The following recommendations are based on the good word spread by the CNIL. There's work to be done.
Stage 1 – Appointing a compliance officer.
Ideally, this person will be an expert in information systems security or a legal expert, familiar with cross-functional projects. This person must, of course, be trained in the RGPD. Self-training using the materials published by the CNIL can be an effective solution.
Stage 2 - Understand the following 4 key concepts in order to ensure that they are understood throughout the company:
- Personal data: any information enabling the identity of a natural person to be traced, either directly (nominative data) or indirectly;
- Data processing: any operation on personal data, whether in an Excel file, a database, a business application or even on paper. Simply consulting data on screen is considered as processing. The scope of the Regulation covers processing operations carried out within the European Union (EU) or on EU residents;
- Data controller (RT): the entity which determines the purpose and means of processing;
- Sub-contractor: the company that carries out processing on behalf of the controller.
Stage 3 – Make an inventory of the processing of personal data and formalise it in registers.
In general, there are two of them:
- The register of processing operations for which the entity is responsible (a model of this register is available on the CNIL extranet);
- The register of processing operations where the entity acts as processor. This is a lighter version of the first: processors are not required to provide the same level of detail as data controllers.
Step 4 - Check that the 6 golden rules of data protection are applied to each processing operation:
Lawfulness , the legal basis for processing. The most frequent cases are consent and the legitimate interest of the RT;
Purpose, the aim of the processing, which must be explicit and consistent with the mission of the organisation processing the data;
Minimisation of data that is relevant and proportionate to the purpose;
Accuracy, the RT must take steps to update the data if necessary;
Limited retention period: data cannot be kept indefinitely, except in very specific cases;
Security: the measures in place must be appropriate to the risk presented by the processing, in particular to guarantee the integrity and confidentiality of the data;
Stage 5 - Putting in place processes to guarantee that people's rights are exercisedSome of these rights have been introduced by the RGPD, in particular the right to portability and the right to object to an automated individual decision (profiling).
Stage 6 - Review, as far as possible, all contracts with customers and subcontractorsto include data protection clauses. Given the scale of the task, it is advisable to prioritise,
Stage 7 : Carry out impact assessments for the processing operations that present the greatest risks.
Care must be taken to adopt the point of view of the people whose data is being processed. This should lead to action plans to increase security and reduce risk.
The key to compliance is to document everything: this will provide proof that the regulations have been complied with.
Our news is on facebook