Understanding the GDPR fundamentals
The GDPR came into force on May 25, 2018. With it, the reinforcement of old notions and the creation of new ones have hatched and sometimes overturned the digital world. Focus on these notions and the ins and outs of this regulation which has become the black beast of the digital giants.
GDPR: no company could escape this 4 letters. Yet its realities can be difficult to grasp.
Indeed, who is really concerned? How to apply it? What are the new obligations? These are all fundamental questions whose answers are still too often unclear.
Light on this new wave of data protection.
Personal data protection before may 2018
No, natural persons didn’t had to wait the 25 may 2018 to be protected…
Why the GDPR?
Because, if the French people were not whithout protection, the legal framework was not frankly new. As the digital world is evolving daily at an unprecedented speed, it was high time to dust off these old texts.
The GDPR did it!
Une protection étendue
More than only apply to European compagnies , it can also apply to compagnies which are not located on the European territory or to Europeen companies that process data outside the territory of the European Union.
The GDPR put forward a clear objective which his the fundamental rights and freedoms protection. Europe’s desire has been to protect natural persons by restoring power to their choice regarding their data.
The regulatory form chosen by the Union for the GDPR is not insignificant. With it, the Union shows its will to have a profound impact on the Member States in order to achieve a greater harmonisation of legislations. This format makes protection more effective and efficient. The Union wanted to put an end to the disparities created by Directive 95/46/EC.
What the GDPR applies to?
Any information about a natural person (name, adress,phone number, geolocation, email address, preferences…)
Processing / circulation
Any data action from its collection to its deletion (downloading, transfer, recording…)
Who would implement the GDPR?
Any type of organization, association, business group, establishment… :
In brief and in picture :
But which processes data of natural persons on the territory of the European Union in the framework :
- An offer of goods or services
- Monitoring the behaviour of individuals on the Internet (including the possible further use of personal data processing techniques).
In brief and in picture :
Are excluded :
- Companies that are located outside the European Union and do not deal with the European Union either
- Public authorities in the exercise of their official functions.
The GDPR fundamentals
Once only the necessary data have been collected, the European Regulation gives the principles which need to be followed during the data processing. Those safeguard must guide all your steps when processing the data in your possession.
The guidelines are the following :
GDPR People’s rights
Right to restriction of processing / Right to object
Right to be forgotten
Right to data portability
Right to rectification
Right of access
Right to be inform
Thanks to those rights, natural persons have the possibility to limit or to object the collected data.
This innovative right allows anyone to retrieve their data in a machine-readable format. No obstacle can be erected by the data manager.
A direct transfer from professional to professional can be requested by the data owner (if it is possible).
This right allows any person to ask the controller if he is in possession of data concerning himself and in that case to transmit its contents to him.
This access right will allow, once the information obtained to access other rights
– The right to rectification
– The right to limitation
– The right to erase data or “the right to be forgotten”
It is the possibility to request the deletion of data when one of the following cases is encountered :
– Data backup is no longer necessary
– The person concerned has withdrawn his or her consent
– The treatment is not legitimate / the person is opposed to it
– The processing is unlawful
– A legal obligation imposes it
Consequently, the controller is obliged to delete them as soon as possible.
This right allows the natural person, in case of inccurancy concerning his data, to request its modification.
This right is the one by which the legal person will bring to the attention of the consumer certain information (who is the controller, who will have access to the data…)
It is a response to the transparency need.
Internal management and the GDPR
The data protection officer
The Data Protection Officer (DPO) is a conductor ensuring the compliance of the compagny’s action with data protection regulations.
– Public or private bodies implementing a public service mission
– Companies required to regularly and systematically monitor the personal data collected on a large scale
– Companies required to deal with special categories of information and criminal convictions or offences
A data protection impact assessment must be carried out whenever your personal data processing may create a high risk to the data subjects privacy.
The lead supervisory
In case of cross-border personal data processing , the lead supervisory authority is the sole interlocutor of the controller or processor. This authority provides a single window for greater clarity and simplicity in cross-border data processing.
Records of processing activities
This register recording all personal data in the company’s possession. It is MANDATORY but its content varies due to the number of employees (more or less than 250).
The CNIL, controlling the good application of the RGPD, will be in right to pronounce reminders to order or administrative sanctions.
Administrative fines should be the most dissuasive. Indeed, can be pronounced fines of :
- 10 million or 2% of global annual sales (whichever is greater).
- 20 million or 4% of global annual sales (whichever is higher).