In May 2018, new European regulations on the protection of personal data will enter into force. All companies will have to comply. The regulation aims at reinforcing the rights of persons whose personal data is used, and to increase the responsibility of those who are involved in the use of this data. It will give new prerogatives to the French Commission nationale de l'informatique et des libertés (Cnil) in charge of overseeing compliance in this field, including sanctioning violations.
Here are some steps to implement in the coming months:
1. Designate a pilot:
To manage the governance of your company’s personal data, you will need a pilot, someone who will carry out an information, advisory and internal control mission: the data protection officer. This is mandatory in certain companies, but in practice is highly recommended for all.
2. Start by accurately listing/auditing your personal data processing.
The development of a register/audit of uses of personal data should cover the company internally and, if applicable, any subcontractor.
3. Prioritize the actions that need to be taken
Based on your register/audit, identify the actions that you’ll need to take to comply with current and future obligations. Prioritize these actions with regard to the risks your uses pose to the rights and freedoms of the people concerned.
4. Manage Risks
If you have identified the processing of personal data that may give rise to high risks for the rights and freedoms of data subjects, you will need to carry out a data protection impact assessment for each of these uses.
5. Organize Internal Processes
To ensure a high level of personal data protection at all times, implement internal procedures that ensure that data protection is taken into account, consider all the events that may occur in the long run (ex: security breach, management of requests for rectification or access, modification of data collected, a change of provider) and make sure that quick reactions are planned and implemented in case of security breaches.
6. Document your company’s compliance
To prove your compliance with the rules, you must create and consolidate the necessary documentation. Actions and documents completed at each stage must be reviewed and updated regularly to ensure continuous data protection, including with any subcontractor.