GDPRCyber SecurityLegal

Understanding the GDPR fundamentals

The GDPR came into force on May 25, 2018. With it, the reinforcement of old notions and the creation of new ones have hatched and sometimes overturned the digital world. Focus on these notions and the ins and outs of this regulation which has become the black beast of the digital giants.

By Laurie ESTRADE
0

GDPR: no company could escape this 4 letters. Yet its realities can be difficult to grasp.

Indeed, who is really concerned? How to apply it? What are the new obligations? These are all fundamental questions whose answers are still too often unclear.

Light on this new wave of data protection.

 

Why the GDPR?
What the GDPR applies to?
Who whould implement the GDPR?
The GDPR fundamentals
GDPR People’s rights
Internal management and the GDPR (DPO, PIA, autorité chef de file…)
Penalties

 

Personal data protection before may 2018 

No, natural persons didn’t had to wait the 25 may 2018 to be protected…

 

 

French flag GDPR

 

 

 

 

European flag RGPD

 

Until the 25 may 2018, French people were protected by a French law of 6 january 1978 – on data processing, files and freedoms – amended by a law of 6 August 2004on the protection of individuals with regard to the processing of personal data.
 
If those laws already provided some guidelines, in the GDPR, they are strengthened (loyalty, lawfulness, consent…) and new ones are created (transparency, new fines,…)
Directive 1995/46/CE – on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 
 
Directive 2002/58/CEconcerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

 

Regulation 2016/679 (GDPR)on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (and repealing Directive 95/46/EC (General Data Protection Regulation). Bringing domestic law into line by adopting the draft law on the protection of personal data on Thursday 19 April 2018.

 

 

Why the GDPR?

Updating

GDPR harmonization

Because, if the French people were not whithout protection, the legal framework was not frankly new. As the digital world is evolving daily at an unprecedented speed, it was high time to dust off these old texts.

The GDPR did it!

 

Une protection étendue

Companies GDPR

More than only apply to European compagnies , it can also apply to compagnies which are not located on the European territory or to Europeen companies that process data outside the territory of the European Union.

 

Increased protection 

Increased protection GDPR

The GDPR put forward a clear objective which his the fundamental rights and freedoms protection. Europe’s desire has been to protect natural persons by restoring power to their choice regarding their data.

 

 

Congruence

Harmonization GDPR

The regulatory form chosen by the Union for the GDPR is not insignificant. With it, the Union shows its will to have a profound impact on the Member States in order to achieve a greater harmonisation of legislations. This format makes protection more effective and efficient. The Union wanted to put an end to the disparities created by Directive 95/46/EC.

What the GDPR applies to?

The European Data Protection Regulation applies to both automated and non-automated personal data. It aims to protect these data in their processing and in their circulation.
 

Explanation GDPR  Explanation 

 

Personal data

Any information about a natural person (name, adress,phone number, geolocation, email address, preferences…)

Processing / circulation

Any data action from its collection to its deletion (downloading, transfer, recording…)

 

Attention, strictly personal or domestic activities of natural persons are excluded from the protection of the GDPR.

Who would implement the GDPR?

Any type of organization, association, business group, establishment… :

 

On the European territory
Who carries out data processing which is not necessarily on the territory of the Union (e.g : French company which processes Spanish or American data).

In brief and in picture :

rgpd-traitement-donnees-en-europe

 

Outside the European territory

But which processes data of natural persons on the territory of the European Union in the framework :

  • An offer of goods or services
  • Monitoring the behaviour of individuals on the Internet (including the possible further use of personal data processing techniques).

In brief and in picture :

rgpd-traitement-donnees-en-europe

Are excluded :

  • Companies that are located outside the European Union and do not deal with the European Union either
  • Public authorities in the exercise of their official functions.

The GDPR fundamentals

A GDPR, a mantra: only NECESSARY information needs / can be collected. No more cumulation of unnecessary data, only essential data for the implementation of the mission are required.

Guidelines GDPR

Once only the necessary data have been collected, the European Regulation gives the principles which need to be followed during the data processing. Those safeguard must guide all your steps when processing the data in your possession.

The guidelines are the following :

Fairness

Fairness GDPR

Lawfulness

Lawfulness GDPR

Transparency

Transparency GDPR

To know more about the RGPD fundamentals principles  

GDPR People’s rights

Right to restriction of processing

Right to restriction of processing / Right to object

 

 

Right to be forgotten

Right to be forgotten

 

Harmonization GDPR

Right to data portability

 

 

Right to rectificationRight to rectification

Right to access GDPR

Right of access

 

 

Right to be inform

Right to be inform 

 

Right to restriction of processing / right to object

Thanks to those rights, natural persons have the possibility to limit or to object the collected data.

Right to data portability

This innovative right allows anyone to retrieve their data in a machine-readable format. No obstacle can be erected by the data manager.
A direct transfer from professional to professional can be requested by the data owner (if it is possible).

Right of access

This right allows any person to ask the controller if he is in possession of data concerning himself and in that case to transmit its contents to him.
This access right will allow, once the information obtained to access other rights
– The right to rectification
– The right to limitation
– The right to erase data or “the right to be forgotten”

Right to be forgotten

It is the possibility to request the deletion of data when one of the following cases is encountered :
– Data backup is no longer necessary
– The person concerned has withdrawn his or her consent
– The treatment is not legitimate / the person is opposed to it
– The processing is unlawful
– A legal obligation imposes it
Consequently, the controller is obliged to delete them as soon as possible.

Right to rectification

This right allows the natural person, in case of inccurancy concerning his data, to request its modification.

Right to be inform

This right is the one by which the legal person will bring to the attention of the consumer certain information (who is the controller, who will have access to the data…)
It is a response to the transparency need.

 

Internal management and the GDPR

The data protection officer

DPO RGPD

The Data Protection Officer (DPO) is a conductor ensuring the compliance of the compagny’s action with data protection regulations.

His appointment is mandatory in only 3 cases:
– Public or private bodies implementing a public service mission
– Companies required to regularly and systematically monitor the personal data collected on a large scale
– Companies required to deal with special categories of information and criminal convictions or offences
 
Attention : since the wording is broad, the CNIL may want to implement it in as many companies as possible.

Impact assessment

Impact assessment GDPR

A data protection impact assessment must be carried out whenever your personal data processing may create a high risk to the data subjects privacy.

The lead supervisory

lead supervisory

In case of cross-border personal data processing , the lead supervisory authority is the sole interlocutor of the controller or processor. This authority provides a single window for greater clarity and simplicity in cross-border data processing.

Records of processing activities

record of processing activitiesThis register recording all personal data in the company’s possession. It is MANDATORY but its content varies due to the number of employees (more or less than 250).

Penalties

 

Pièce euro sanction CNIL

 

Pièce euro sanction CNIL

 

Pièce euro sanction CNIL

The CNIL, controlling the good application of the RGPD, will be in right to pronounce reminders to order or administrative sanctions.

Administrative fines should be the most dissuasive. Indeed, can be pronounced fines of :

  • 10 million or 2% of global annual sales (whichever is greater).
  • 20 million or 4% of global annual sales (whichever is higher).

 

Protect your sensitive data and get familiar with the issues, penalties and obligations relating to the GDPR for a 100% compliance.

Request a GDPR training

Continue Reading
More
Legal

Cyber Resilience Act

Standards & Certifications

PASSI Qualification

Tools

What is an SSL Certificate?

News

France Identity & Cybersecurity

Comment

Your email address will not be published.

Articles

Cyber Resilience Act

PASSI Qualification

What is an SSL Certificate?

1 of 39