The definition GDPR?
The General Data Protection Regulation (GDPR) was adopted by the European Parliament in 2016 and entered into force in 2018. It establishes a legal framework for the protection of personal data for Europe. Any entity required to handle personal data of European residents must comply with the Regulation. Its application goes beyond the borders of Europe: the data controllers and foreign subcontractors, who deal with personal data coming from the European Union (EU), must apply the GDPR even if processing takes place outside the EU.
The text strengthens the protection of people whose data is collected and the rights they can exercise. In particular, they can access their collected data, decide, for example, to rectify or delete them and request their portability. The GDPR gives data controllers numerous obligations such as the obligation to keep a processing register or to notify the CNIL in the event of a data breach. These obligations are accompanied by accountability of data players. The data controller guarantees the conformity of his activities and must be able to demonstrate it.
Personal data and its conservation
With the use of new technologies, the flows of personal data are more and more important. The GDPR aims to regulate their processing with the aim of protecting the privacy of individuals.
The notion of data corresponds to information from which a message can be deduced. For example “the temperature is 30°C” is information, we can deduce after reflection “it is hot”.
In terms of privacy protection, so-called personal data concerns information relating to natural persons. This is obviously personal or contact data. But the scope of personal data is much broader. Take for example a purchase history on an online site, the seller may use this information in order to suggest other products to you. During this same operation, it will also collect your information such as your last name, first name, postal address, email address, telephone number, etc. But also your purchasing habits, your IP address, your favorite websites, etc. All this information constitutes personal data.
Whatever the type of data processed, the CNIL retains a criterion of “direct” or “indirect” identification of the person. In other words, it is personal data as long as this information makes it possible to recognize the natural person from whom it emanates that this link can be made by the use of a single piece of data or the aggregation of several pieces of information
The GDPR also distinguishes different categories of personal data which have, depending on the risk of infringement of the rights and freedoms of individuals, an appropriate degree of protection. Thus, the processing of health data is subject to greater protection due to their sensitivity. The same applies to data relating to race, political, religious or union opinion but also those relating to criminal convictions.
Still with the aim of protecting the interests of individuals, the GDPR subjects the data controller to the obligation to determine the retention periods of the data it processes. It should only treat data strictly necessary for its activity and proportion their shelf life to their usefulness. For each processing operation, the data controller must inform the data subjects of the applicable retention period.
Shelf life may be subject to specific legal obligations. In the event that no text provides for a retention period, it must be reasonable and proportionate to the objective pursued by the data processing.
After these deadlines, the data must be deleted from the database or anonymized. Otherwise, the data controller fails in its obligation to limit the scope of the data it processes and does not respect the principle of minimization.
GDPR compliance is not a certification validated at a given time, but a new process of continuous improvement within the company.
The objective of a GDPR compliance project is to achieve a sufficient and adequate level of protection taking into account the risks. And this, in order to be able to demonstrate at any time, particularly in the event of security incidents, complaints or inspections, that all necessary measures have been implemented to counter these risks.
GDPR compliance is a new internal process within the company that evolves over time, which is why the company must define a clear method and enforce it within each department of its organization. The company can rely on a software solution to implement the compliance process.
The concept of data processing personal and processing register
The GDPR defines processing as: "any operation or set of operations carried out or not using automated processes and applied to personal data or sets of data". More simply, data processing is a set of operations carried out on personal data. This notion is not easy to understand because it brings together many possibilities.
It must be considered that data processing exists from the moment you intervene on one or more personal data.
· Collect data to group it into a file, it's processing,
· Delete data from a listing, another processing,
· Structuring your customer data in software, always processing,
· An Excel file of guests at an event, you guessed it, is a treatment.
Data processing can be both computer and paper. The pile of CVs abandoned in an HR department cupboard is the result of processing.
Pursuant to Article 30 of the GDPR, persons who carry out data processing (as data controller but also as subcontractor) must keep a register of processing activities. It is a document which allows you to list, describe and analyze all of your processing of personal data, to have an overview. It must be maintained by all organizations, public and private and whatever their size, when they process personal data. Companies with fewer than 250 employees must only list:
- non-occasional treatments (example: personnel management);
- processing operations likely to pose a risk to the rights and freedoms of individuals
- processing that concerns sensitive data (example: health data, religious opinion, etc.).
In practice, processing operations which fall under this exemption reserved for smaller structures are quite rare and generally speaking, as long as you use information from European residents in a professional capacity, you are concerned. This is the pivotal document of your compliance, which you cannot ignore and which will necessarily be requested from you in the event of an inspection.
Depending on your status as a subcontractor or data controller, the list of mandatory information that must appear in the register varies. However, beyond the strictly obligatory information, keeping a register is an opportunity to identify all the information you need to ensure the conformity of your processing. This is why Data Comply One (formerly Mission RGPD) offers an "advanced" mode in its processing register application which helps you ask yourself the right questions and review your processing methods and compliance with your obligations.
