7 key steps to bring your business into GDPR compliance
Before discussing the key steps to comply with the GDPR, let's discuss the sanctions in the event of a breach
There CNIL (National Commission for Information Technology and Liberties) is the body in France which controls companies and sanctions in the event of a breach. We now see that the CNIL has ended its period of support for businesses and is in a dynamic of sanctions.
The sanctions imposed can be of two types:
- Monetary penalty : between 2 and 4% of turnover or 10 or 20 million euros
- Reputational sanction : the CNIL may decide to make the sanction decision public. Thus, the damage to the company's image is strong towards employees, partners, customers...
Examples of recent sanctions:
- Crossroads : failure to retain data; failure to exercise rights; failure to inform individuals – 2,250,000 €
- Nestor : non-consent of prospects and several breaches of the GDPR – 20,000 €
- Credential stuffing : a data controller and its subcontractor convicted for not having taken satisfactory measures – 150,000 € + 75,000 €
The 7 stages of compliance
1. Appoint a DPO/GDPR referent
Depending on your activity, check whether the appointment of a Data Protection Officer (DPO) is mandatory. Even if a DPO is not obligatory, it is strongly recommended to appoint a referent/pilot, who will be in charge of the GDPR project in the company.
2. Centralize existing documentation
Start by consulting the files of declarations made to the CNIL via the following link: https://www.cnil.fr/fr/les-formalites-prealables-accomplies-aupres-de-la-cnil-avant-le-25-mai-2018.
This allows you to have a first draft of the activities carried out by your company. Also collect existing information documents (privacy policy, T&Cs, T&Cs, legal notices...). Build your company organizational chart so you can list the services and the interactions between them.
3. Build your processing register
Build your processing register on the basis of the documentation collected, internal declarations (interviews with representatives of the different services) and on the basis of an application map by identifying the tools used by the services.
4. Audit of the organization's processing
Two types of audits must be carried out:
- Audit of treatments : the legality analysis, do the purposes respect the principles of the GDPR (legality, minimization, retention period...)
- Audit of the organization : management of the rights of data subjects, management of subcontractors, information system security...
5. Correction of compliance gaps
Develop an action plan:
- Maintaining a register of processing activities and updating it
- Writing and implementation of mandatory information notices on forms
- Upgrading security measures
- Staff awareness
The next two steps are not chronological, they can be carried out in parallel with the previous steps.
6. Implementation of governance procedure
The DPO must be involved in all personal data issues and upstream of any new project relating to personal data.
It is important to train staff in contact with the people concerned, particularly for informing the people concerned.
Implementation of mandatory procedures:
- Procedure for managing rights exercises
- Internal data protection procedure
- Procedure in the event of a personal data breach
- Procedure for informing people
- Procedure for managing impact analyses
- Procedure in the event of a CNIL inspection
- Subcontractor selection procedure
Being compliant with the GDPR is not an image at a given moment, it is important to maintain compliance over time by notably implementing regular audits of mandatory procedures.
7. Live your conformity
It is also imperative to regularly carry out regulatory monitoring and train staff on data protection issues.
In order to centralize documentation and processes, it is strongly recommended to use GDPR governance software.
