The General Data Protection Regulation
Newsletter - April 2018
The General Data Protection Regulation (GDPR) was adopted by the European Union on 27 April 2016 and will come into force as of 25 May 2018. Therefore, on that same date, it will become applicable in France.
Privacy Requirements
The GDPR will apply to all companies and other organisations within the European Union. It will ensure a right of access to and rectification of personal data, a right to object, to restrict processing of it, to erasure of personal data, and the right to data portability. The definition of personal data is very broad, since it concerns any “information relating to an identified or identifiable natural person,” including by crossing data points.
On the one hand, companies for which data processing is the major line of business or a sensitive line of business (operation of a database, processing of medical data, for instance) shall be required to implement appropriate technical and organisational measures to ensure that the processing of personal data is performed in accordance with the GDPR and shall be required to be able to show such.
On the other hand, companies that are theoretically involved only to a small extent will be subject to the GDPR all the same: an employee’s social security number, personal address, family situation, or even the email address of a client are all information items that are deemed “sensitive” and that require appropriate processing.
The GDPR introduces a principle of accountability for the processing of data, which also applies to any sub-contractor (service provider) who is accountable for the data he processes.
Companies’ work strategies
Companies and other organisations must henceforth adapt to these new measures. France’s CNIL (“Commission Nationale de l’Informatique et des Libertés,” or national information processing and freedoms board) produced a white paper that enables the entities concerned to be in compliance with these new provisions. Six key steps are defined in it:
– Appoint a guide who is responsible for the governance of personal data. He/she is the one who will provide information and advice internally and monitor the situation, in his/her capacity as Data Protection Officer (DPO).
– Map the processing of personal data, by creating a processing register recording how the various data items are processed (by addressing the questions of who? what? why? for how long? and how?),
– Prioritise the actions to be performed, on the basis of the register created earlier by identifying the actions to be performed according to the risks that the data processing imposes upon the rights and liberties of the persons concerned,
– Manage the risks, by performing a data protection impact analysis for each processing event that presents a risk.
– Organise the internal processes, so as to ensure a high level of protection of personal data, constantly, via internal procedures that guarantee consideration of the data items at all times, by considering the factors that are likely to interfere with the data processing (e.g., an IT security flaw, management of requests to rectify or access, a change in service provider),
– Document compliance, by recording and updating the actions already performed to ensure the continuous protection of the data items.
The CNIL has also published on its website a practical guide aimed at very small enterprises and small and medium-sized enterprises, to facilitate implementation of the GDPR.
Supervision
The supervisory authority (the CNIL) will oversee application of the GDPR and compliance with it. Therefore, the CNIL will be likely to perform surveys, especially using another supervisory authority or another public authority. The CNIL will also be empowered to initiate its own enquiries, which may arise out of a complaint by a concerned person.
The CNIL is also able to perform an on-line check, as a first step. Therefore, the CNIL has the authority to initiate a more extensive check if there is a patent wrongdoing (such as lack of mention of compliance with the provisions of the GDPR, or transmission of sensitive data such as a client’s name, or pictures of employees).
Penalties
The penalties will be in proportion to the offences observed. These may include:
– a warning,
– an official notice,
– a limitation — either temporary or permanent — of the processing of a data item,
– a suspension of data flows,
– satisfying requests to exercise the right of persons,
– rectifying, limiting or erasure of the data.
Infringement of the GDPR may also lead to monetary penalties with two caps:
– up to €10 million or, in the case of a company, a cap equal to two per cent (2%) of the global annual turnover in the event, for instance, of a failure to fairly process the data gathered, a lack of disclosure to or consent of the persons, a failure to provide the rights of access, rectification, to be forgotten or to provide portability.
– up to €20 million or, in the case of a company, a cap equal to four per cent (4%) of the global annual turnover in the event, for instance, of a lack of notification of a security flaw, failure to keep the processing register, lack of an impact study or failure to appoint a DPO.
We are entirely available if you have any further queries about the issues discussed in this newsletter or about any other accounting, tax, social security or law related topic.