The new European regulation on personal data protection will come into effect on May 25th, 2018. The approval of this text must allow Europe to adapt to the new realities of digital technology.
A methodology in 6 steps to get prepared and anticipate the changes related to this European regulation entering into force.
While the obligations of bodies under the Data Protection Act largely rest on the prior formalities (declaration, authorization), the European Data Protection Regulation is based on a logic of accountability (« Accountability » principle) and transparency.
Thus, any person responsible for the processing of personal data must henceforth be able to demonstrate their compliance with the new provisions.
STEP 1 – DESIGNATING A DATA PROTECTION OFFICER (DPO)
The implementation of these tools implies, before-hand, the appointment of an internal « pilot »: the data protection officer, a true « conductor » of the protection of personal data within the organization.
The appointment of a DPO is mandatory in 2018 if:
- You are a public body,
- You are a company whose basic activity leads you to carry out a regular and systematic monitoring of people on a large scale, or to treat on a large scale so-called « sensitive » data or relating to criminal convictions and offenses.
Even if your organization is not formally obliged to designate a Personal Data Protection Officer, it is highly recommended to appoint a person with internal relays, in charge of ensuring compliance with the European Regulation.
STEP 2 – IDENTIFYING THE WHOLE OF PERSONAL DATA PROCESSINGS
In the framework of the future regulation, the bodies must keep a complete internal documentation on their personal data processings and ensure that these processings comply with the new legal obligations.
So, you need to draw up a list of:
- The different processings of personal data,
- Categories of personal data processed,
- The objectives pursued by the data processing opera- tions,
- The internal and external actors who deal with the data processing. You will especially need to clearly identify the subcontractor providers in order to update the confidential clauses,
- The flows by indicating the origin and destination of the data, in particular to identify any data transfers outside the European
For each personal data processing, ask yourself the following questions:
- Enter in the register the name and contact details of the processing supervisor (and his / her legal representative) and, if necessary, the data protection officer,
- Identify who is responsible for operational services processing the data in your organization,
- Draw up the list the subcontractors.
? What ?
- Identify the categories of processed data,
- Identify data that may raise a risk because of their particular sensitivity (for example, data pertaining to health or offenses).
Indicate the purpose(s) for which you collect or process these data (example: management of the commercial relation, HR management…).
? Where ?
- Determine where the data is hosted,
- Indicate to which countries the data may be transfered.
? How long?
Indicate for each category of data how long you keep them.
What security measures are implemented to minimize the risks of unauthorized access to data and that may thus impact on the privacy of the persons concerned?
STEP 3 – PRIORITIZING ACTIONS TO BE CARRIED OUT
Identify the actions to be carried out in order to comply with current and future obligations.
Some points of attention whatever your processings:
- Make sure that only data strictly necessary for the pursuit of your goals is collected and processed
- Identify the legal basis which your processing is based on (for example: consent of the person, legitimate interest, contract, legal obligation).
- Review your mentions of information to ensure compliance with the requirements of the Regulation.
- Check that your subcontractors are aware of their new obligations and responsibilities, make sure there are contractual clauses reminding the subcontractor’s obligations with regard to security, the confidentiality and the protection of the personal data processed.
- Plan the procedures of exercise of the rights of the persons concerned (right of access, rectification, right to portability, withdrawal of consent…).
- Check the security measures implemented.
STEP 4 – RISK MANAGEMENT
If you have identified processings of personal data that may raise high risks for the rights and freedoms of individuals concerned, you will have to carry out, for each of these processings, a Data Protection Impact Assessment. (« Privacy Impact Assessment » or PIA).
STEP 5 – ORGANIZING INTERNAL PROCESSES
Implement internal procedures that guarantee data protection at all times, by taking into account all the events that may occur during the life of a processing (eg. security breach, management of rectification requests or access, modification of data collected, change of provider). Especially :
- Take into account the protection of personal data as from the design of an application or a processing (minimization of data collection with regard to the purpose, cookies, retention period, mentions of information, collection of consent, security and confidentiality of data, ensure the role and responsibility of the actors involved in the implementation of data processing). To do this, follow the advice of the data protection officer,
- Raise awareness and organize information received by creating a training and communication plan for your associates,
- Process complaints and requests from the individuals concerned as to the exercise of their rights (access / rectification / opposition rights, right to portability, withdrawal of consent) by defining the actors and the procedures (rights exercise must be available electronically, if the data has been collected by this means),
- Anticipate data breaches by providing, in some cases, notification to the data protection authority within 72 hours and to the persons concerned as soon as possible.
STEP 6 – DOCUMENTING THE COMPLIANCE
To prove your compliance with the Regulation, you must set up the necessary documentation.
This documentation must include the following elements:
- The processing register (for processings managers) or processings activity categories (for subcontractors),
- Data Protection Impact Assessments (PIAs) for processings that may raise high risks to the rights and freedoms of individuals,
- Supervision of data transfers outside the European Union (in particular, standard contractual clauses, BCRs and certifications).
Information regarding people :
- Information mentions,
- Models of collecting the consent of the persons concerned,
- The procedures implemented for the exercise of rights.
Contracts that define the roles and responsibilities of the actors:
- Contracts with subcontractors,
- Internal procedures in case of data breaches,
- Evidence that individuals concerned have given their consent when the processing of their data rests on this basis.
In order to be up to date with your obligations, contact now your public accountant!