On 15 March 2017, the French Data Protection Authority (“CNIL”) published a six-step methodology to prepare for the application of the General Data Protection Regulation (“GDPR”) on 25 May 2018. It appears the rationale for this publication is that simply complying with the GDPR will not be the end of the obligations for companies. From 25 May 2018, companies will also have to be able to demonstrate their compliance. The GDPR insists on accountability and transparency. Therefore, the CNIL decided to publish a methodology to help companies properly adapting their compliance program.
The six steps are set out below:
1. Appoint a Data Protection Officer (“DPO”) to take responsibility for the company’s compliance program. The DPO's role will be to provide information and advice and exercise control over a company's data protection compliance. Companies can already appoint a Correspondant Informatique et Libertés (“CIL”) to get started and prepare for the future compliance actions.
2. Carry out a data mapping: companies will have to identify and keep a record of all their data processing activities. For each data processing, companies should answer the following questions: Who? What? Why? Where? Until when? How?
3. Prioritise compliance actions: On the basis of the register, companies should identify the actions to be taken to comply with current and future obligations.
4. Manage the risks by conducting impact assessments if some data processing could generate a high risk for the rights and freedoms of data subjects.
5. Organise internal processes to ensure data protection at any time. Companies should anticipate data breaches and how to respond to incidents.
6. Document all compliance measures to prove company’s compliance at any time. Actions and documentation carried out at each step must regularly be reviewed and updated.
Organisations operating in France should ensure that it makes use of the CNIL's methodology when implementing GDPR compliance programmes.
More information about the CNIL's six steps is available here (French).
Submitted by Thierry Dor, Partner and Laurie-Anne, Evra-Ancenys, Senior Associate of Gide Loyrette Nouel Paris – Paris, France, in partnership with DAC Beachcroft LLP