{{1}}
1. The steps of the GDPR compliance procedure
To respect the will of the CNIL and be in compliance with the RGPD, it is necessary to respect 4 elements :
1) Identify treatments : The identification of treatments requires the data controller to keep a register in accordance with article 30 of the RGPD.
2) Sort data : The aim is to verify the relevance of each data, its necessity and its nature in relation to the objective pursued by the company using the personal data in order to adapt security measures to the risks associated with data processing. It is also necessary to ensure that personal data is accessible to authorized agents only and to specify precisely the duration of storage and archiving of data.
3) Respect the rights of the public : Respect for the rights of citizens means informing individuals whose personal data is processed and organizing and facilitating the exercise of this right.
4) Secure personal data : The companies concerned must put in place technical and organizational measures to guarantee the security of the data in accordance with their sensitivity as well as specific and necessary measures in line with the risks associated with violations of the rights and freedoms of the persons concerned.
According to the CNIL, compliance with the RGPD of a company or organization is carried out in 6 steps :
Step 1: Designate a pilot : A pilot is a person in charge of managing users' personal data. As part of data management, the pilot carries out 3 missions: an information, advice and control mission.
Step 2: Map : Companies and organizations concerned by the GDPR must map their data: they must identify all the personal data they process. This is an essential step for corporate compliance because it will allow the company to have a global vision of the flow of personal data in the company. In this way, the various actors in the company are guaranteed better accessibility and better understanding of data.
Step 3: Prioritize: Prioritizing the actions to be taken consists in establishing a schedule of actions, controls and corrections taking into account the objectives and constraints related to the management of risks incurred by the company. As part of prioritization, the company must ensure that it collects only the data necessary to carry out its activity.
It must also determine the database on which it relies to collect this data, verify the compliance of legal notices, contact subcontractors and harmonize its internal practices. Finally, it must verify the methods of controlling and rectifying the data offered to users and secure its system for retrieving and storing personal data.
Step 4: Manage risks : Risk management refers to the fact of identifying the processing of personal data that is likely to generate high risks for the rights and freedoms of users.
Therefore, a company that considers that some of its practices may be risky for the rights and freedoms of citizens should conduct a study on the impact of this attack within its structure.
Step 5: Organize : The organization of internal processes: The organization of internal processes ensures a high level of permanent protection for users whose personal data are processed.
To organize its internal process, the company concerned must put in place internal procedures that take into account and guarantee the protection of user data at all times by anticipating events that may occur during the period of data processing.
Step 6: Document : Compliance documentation consists of consulting and grouping the necessary documentation. The documentation produced during the previous steps should be reviewed and updated regularly in order to ensure constant data protection.
For more details you can consult the website of the CNIL over here.
{{2}}
2. The body responsible for monitoring compliance with the GDPR
The body responsible for monitoring the compliance of companies with the GDPR is the data protection officer,”Data Protection Officer” (DPO).
To perform all of its missions, the DPO must take into account the risks associated with data processing operations according to their nature (sensitive data or not), the scope of the processing, the context in which it was carried out and the purposes of the processing.
The appointment of a DPO is mandatory in application of article 37 of the RGPD.
In practice, when appointing a DPO, it is recommended to detail all of his missions in his employment contract. The rules for appointing the DPO are provided for in article 37 of the GDPR.
a. The missions of the personal data protection officer
The missions of the DPO are provided for in article 39 of the RGPD.
The DPO has two main missions: :
- An information mission : It must inform companies of all their obligations in terms of the protection of personal data pursuant to article 39 paragraph 1 a) of the GDPR. According to this article, the DPO must inform data processors, subcontractors and employees responsible for subcontractors.
- An advisory mission : The DPO can draw up informative documents in which he develops a data protection policy. These documents can also be used as evidence in the implementation of the principle of accountability, a principle imposed by the regulation.
In addition, the DPO has a mission to monitor compliance with the RGPD and all legislation concerning the protection of personal data.
In addition, the DPO must also ensure compliance with the internal rules of the body concerned by its control, in particular for the rules establishing the distribution of responsibilities for raising awareness and training of the personnel responsible for processing data.
To carry out this control mission, the DPO may collect information that allows him to identify processing activities, analyze and verify the compliance of these activities, to inform and advise the data controller or his subcontractors on their obligations by making recommendations to them by making recommendations and to train staff or call on a specialized training organization.
b. The obligations of the personal data protection officer
The general obligations of the DPO are provided for in articles 24 to 31 of the GDPR.
The data protection officer has obligations to comply with as part of his missions, in particular with regard to the security of personal data.
Indeed, as an actor in complying with the RGPD, it must implement the security policy of the person responsible for processing personal data.
In addition, the DPO also has an obligation to notify the supervisory authority (the CNIL) in the event of a personal data breach. This obligation is provided for in article 33 of the RGPD.
Article 34 of the GDPR also provides that in the event of a personal data breach, the persons concerned must be notified.
In addition, the DPO may be required to create the documentation useful for these notifications and to use it.
Finally, the DPO can assist the data controller when he plans to file a complaint due to a computer flaw in the security system.
To learn more about the subject, read our complete article on RGPD: Everything you need to know about the protection of personal data to better understand.
.avif)
