You are here

General Data Protection Regulation Increases Company Responsibility

Nathalie Devillier, professeure de droit, à Grenoble Ecole de Management
Published on
26 April 2018

The European General Data Protection Regulation (GDPR) is a guiding legal framework to manage personal data. The goal is to better protect the privacy of European internet users. As a result, there are important implications for companies. How should businesses prepare for this regulation which will come into effect on May 25th.

The GDPR was adopted in April 2016 and will be enforceable as of May 25th, 2018. It has three primary goals: (1) to reinforce the rights of citizens, both over and under 18 years of age, in relation to their control of personal data; (2) to increase the responsibility of data players, both companies and other intermediaries; (3) to increase regulations and sanctions in Europe.

Companies must prove their compliance

Companies will now be required to justify the ways in which they are complying with the GDPR. "Companies have to guarantee and prove that their use of data is compliant and secure at all times. In addition, this requirement is expanded to include all subcontractors and service provides working with the company," explains Nathalie Devillier,a professor of law at Grenoble Ecole de Management. In other words, every company and its subcontractors must be able to demonstrate a compliance process that is transparent and implements proper procedures to collect, store, use, share or destroy personal data.

7 tips from Nathalie Devillier

1 - Map all data and audit subcontractors

Companies and their subcontractors will both be responsible for treatment of personal data and the creation of a protection system. This means companies have to map their use of data and identify any partners that are involved in the collection and use of data.

2 - Train a Data Protection Officer (DPO) to replace the CIL (Correspondant informatique et libertés)

The GDPR encourages companies to hire a DPO. A DPO is required for public organizations, organizations that manipulate large scale data and organizations that collect sensitive data such as healthcare data or data related to background checks. The DPO is in charge of guiding an organization's compliance efforts. He or she will ensure that the company follows legal obligations and cooperates with the CNIL.

3 - Keep a record of data collection for the CNIL

Download here.

4 - Carry out an impact study

To help companies manage this change, the CNIL published a new version of its impact study software for privacy (PIA), as well as a case study on connected objects (sleep monitors).

5 - Ensure complete transparency in terms of data collection

Cookies, general terms and conditions, right to access data, right to erase data, right to transfer data, and profiling (e.g., massive data collection via Twitter, Facebook or Amazon). Companies must be transparent about their collection and use of data as well as security measures.

6 - Alert the CNIL if there is a breach of privacy for personal data

A company that is the victim of a security fault or a cyber attack must inform the CNIL within three days as well as the people affected by this breach if it presents a high risk to their freedom and rights. The same goes for a company's clients. To prevent data breaches, it is recommended that companies contact the ANSSI (French National Authority for the Security and Defense of Information Systems).

7 - If a company transfers data to a server in the USA, ensure the service provider has declared Privacy Shield complianc

To do so, simply check the official U.S. website and ensure that the company's status is OK.

On the same subject