The GDPR (General Data Protection Regulation) is the European reference text on personal data protection for residents of the European Union and will harmonize data management in all countries of the EU. Applicable as off May 25 2018, it concerns all economic and social actors offering goods and services on the EU market if in their activities they process personal data of EU residents. This includes companies, associations, public bodies, but also businesses whose head office is outside the EU but which operate in the EU and on data from EU citizens, as well as subcontractors whose activities fall within this framework.
The aim of this new regulation is to give EU citizens more control over their private data, including what information is collected, for what purposes and for how long.
The main challenge for companies is therefore to know at any moment where their data is located and how to collect and transmit them to the customer on request.
This presupposes that a company must know what information it collects about individuals, the storage location, the purpose of their collection, and also how they are managed, shared and erased. To enforce these new measures and motivate companies to take the matter serious, there are heavy penalties for non-compliance with the GDPR that can be up to 4% of annual worldwide turnover or €20 million.
It is the larger sum between the two that will be applied, and on top of the fine, it is also the company that will have to pay for damages to the individual suffered for non-compliance with the GDPR.
The 5 new principles to be implemented to ensure better protection of personal data:
- The concept of “Accountability”
- The “Privacy by Design” approach
- The “Security by Default” approach
- The designation of a Data Protection Officer (DPO)
- Conducting Impact Studies
The GDPR introduces a notion of accountability. It is up to the company to take all measures to ensure compliance with the GDPR and this also implies that the company must be able to demonstrate that it has fulfilled its obligations in terms of data protection, which will be required in particular during an audit (by the CNIL for example).
Privacy by Design
Privacy by Design means that the protection of personal data must be taken into account already from the design of the product or service, but also in the information system, in a database or when designing applications.
Security by Default
The Security by Default principle reinforces the role of security in the information system. The information system must be secured at its various levels, from the physical to the logical level, for example with access controls or a security breach prevention system.
But the company must also be able to detect whether the integrity of its information system has been compromised and to fix issues immediately.
The Data Protection Officer
The role of the Data Protection Officer (DPO) must be involved in the various issues and problems of personal data protection of the company. His/her role is to ensure the company’s compliance with the GDPR and to act as a point of contact with the supervisory authorities.
Finally, the last point concerns the conduct of impact studies. The GDPR asks companies to carry out an impact assessment on the protection of personal data before implementing new data processing operations that could potentially present risks of infringements of individual rights and freedoms. Where appropriate, the impact assessment should also include measures to reduce the consequences of potential damage to personal data protection.