{"id":6742,"date":"2018-02-07T14:05:00","date_gmt":"2018-02-07T14:05:00","guid":{"rendered":"https:\/\/regimbeau.eliott-markus.cloud\/insight\/rgpd-donnees-a-caractere-personnel-que-faites-vous-au-cours-des-prochains-mois\/"},"modified":"2023-11-10T09:54:00","modified_gmt":"2023-11-10T09:54:00","slug":"gdpr-personal-data-what-are-you-doing-over-the-next-few-months","status":"publish","type":"insight","link":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/","title":{"rendered":"GDPR &#038; Personal Data : What are you doing over the next few months ?"},"content":{"rendered":"\n<p>Because companies do not yet appear to be fully prepared to adopt the new European regulation on the protection of personal data, we offer here a check\u2013list of changes to anticipate, to help ensure that your data processing will comply with these new requirements. Combining as they do both legal and technical considerations, personal data come within the scope of those responsible for a company's intellectual property.<\/p>\n\n\n\n<p>The French government has just made public the bill amending the \u201cdigital privacy\u201d act (French Law 78\u201317 of January 6, 1978 relative to Data Processing, Files and Individual Rights) to incorporate the forthcoming European General Data Protection Regulation (Regulation 2016\/679, abbreviated GDPR). It is anticipated that the bill will be adopted before the Regulation takes effect.<\/p>\n\n\n\n<p>According to a survey in April 2017, only 19% of surveyed businesses said they would be in compliance with this Regulation by its effective date of May 25, 2018; 33% would not be in compliance at all, and 44% in less than full compliance.<sup>1<\/sup><\/p>\n\n\n\n<p>The statute replaces the regime established by Directive 95\/46\/EC of 1995 and is intended to establish a unified set of regulations for personal data in the European Union.<\/p>\n\n\n\n<p>We should immediately point out that \u201cdata processing\u201d is defined very broadly and covers virtually any operation to do with personal data, from its collection to its destruction.<\/p>\n\n\n\n<p>The Regulation may not upset the general principles relating to procedures for collecting and processing personal data that we are familiar with (e.g., the legal bases of permissible data processing, obtaining consent, or time limits on retaining personal data); but is does make a number of changes in favor of individuals and consequently, creates new obligations for all natural persons, legal entities, public authorities, public services and all organizations that might collect personal data.<sup>2<\/sup><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Regulation applies to data processing managers and to outsourcing firms.<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>One of the contributions of the Regulation is to define the concepts of data manager or administrator (which it terms \u201cdata controller\u201d) and subcontractor (\u201cprocessor\u201d), as follows.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The data controller determines the purposes and means of processing, and<\/li>\n\n\n\n<li>A processor processes the personal data on behalf of the data controller.<\/li>\n<\/ul>\n\n\n\n<p>The Regulation also specifies the obligations of the outsourcer, in particular as regards data security, confidentiality and assisting the data controller with impact analyses, notifications to the supervisory authorities, and communications with the individuals affected by any data breach.<\/p>\n\n\n\n<p>In practical terms, this clarification makes it necessary to spell out the obligations of each party in contracts that involve processing personal data.<\/p>\n\n\n\n<p>Note that the French supervisory authority, commission on data processing and individual rights (Commission Nationale Informatique et Libert\u00e9s, or CNIL) recently published guidelines for processors.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Extensive scope<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>The Regulation therefore applies to all natural or legal persons, public authorities, public services or agencies (in particular, businesses and public bodies) of the European Union which deal with personal data.<\/p>\n\n\n\n<p>It also applies whenever data concerning a citizen of the Union are processed. Thus businesses and organizations outside of the European Union will also be subject to the Regulation\u2019s requirements if they process the personal data of European citizens.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Regulation specifies how to obtain consent from individuals to see their data.<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>These details concern both form (such as explicitness, understandability, clarity and simplicity, and keeping other matters separate if the consent is included in another document) and content (the consent must be obtained for purposes of a specific processing need.)<\/p>\n\n\n\n<p>Furthermore, consent may be withdrawn at any time, which places an obligation on data controllers, as for example when the consent is given online, to provide ways for the consent to actually be withdrawn and the data to be electronically deleted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">It adds further protections of citizens and their data<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>The Regulation confirms certain rights: an individual\u2019s right to have access to his or her personal data, the so\u2013called \"right to be forgotten\" (i.e., the right to have one's data erased), the right to have personal data corrected, and the right to complete the data if incomplete.<\/p>\n\n\n\n<p>It also contains specific provisions concerning the individual's right to information about how the data will be processed. (Such information must be concise, transparent, comprehensible and easily accessible in clear and simple terms, in particular with respect to information intended for children, and free of charge, with exception made for unfounded or excessive requests for information.)<\/p>\n\n\n\n<p>Something new: The Regulation establishes a right to data portability. So long as an individual's data have been collected with his or her consent and the processing was automated, the individual may demand that the data controller transfer his or her data to another data controller.<\/p>\n\n\n\n<p>One exception, though: This right to portability does not affect data processed for a public service or governmental function.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The data controller has added responsibilities<\/strong><\/li>\n<\/ul>\n\n\n\n<p>This is one of the most notable changes in the new regulation. The regime of declaration prior to processing will be replaced by an obligation to implement technical and organizational measures to ensure and demonstrate the systematic compliance of the data processing with the Regulation, with the understanding that that the supervisory authorities (the CNIL in France) will be responsible for checking that all of these obligations are being met.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Privacy by design&nbsp;and&nbsp;privacy by default<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Once there is a plan to process personal data and the means of processing have been determined, the data controller must establish appropriate technical and organizational measures (such as pseudonymization<sup>3<\/sup>) to ensure the data are protected effectively.<\/p>\n\n\n\n<p>Furthermore, by default, only data necessary for a specific purpose may be processed. This requirement applies to the quantity of data, the scope of the processing, the retention time and the accessibility of data.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Obligation to keep a processing record<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Keeping a record of processing activities is mandatory for businesses and organizations except those with fewer than 250 employees (unless if the latter\u2019s data\u2013processing carries risks, is not occasional or includes personal data that is sensitive or concerns convictions and violations of law.)<\/p>\n\n\n\n<p>This record will be made available to the supervisory authority in the event of an audit. It shall contain the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name and contact information of the data controller<\/li>\n\n\n\n<li>Purpose of the processing<\/li>\n\n\n\n<li>Description of the categories of persons concerned and of the categories of data processed<\/li>\n\n\n\n<li>Categories of users of the data<\/li>\n\n\n\n<li>Transfers to non\u2013EU countries<\/li>\n\n\n\n<li>And, to the extent possible, the schedule of data erasures and a description of the security measures in place.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Perform an Impact Analysis<\/strong><\/li>\n<\/ul>\n\n\n\n<p>The data controller must make an impact analysis before processing data if such processing presents a high risk to the rights and freedoms of the subjects, particularly in cases where \u201cnew technologies\u201d are used.<\/p>\n\n\n\n<p>Such an analysis will be especially called for in cases of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The systematic, thorough evaluation of personal aspects by automated processing and if the evaluation has legal consequences or significantly affects the individual<\/li>\n\n\n\n<li>Large\u2013scale processing of sensitive data and data relating to criminal convictions or offenses and<\/li>\n\n\n\n<li>Large\u2013scale surveillance of a publicly accessible area.<\/li>\n<\/ul>\n\n\n\n<p>Broadly speaking, an impact analysis lists all the risks associated with the processing of personal data and the measures taken by the data controller to minimize those risks.<\/p>\n\n\n\n<p>The guidelines give various examples of high\u2013risk situations: assessments (such as of work, health or behavior), automatic decisions, handling sensitive data, high volumes of data, merging data sets, etc.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Appoint a Data Protection Officer<\/strong><\/li>\n<\/ul>\n\n\n\n<p>The Regulation establishes the position of Data Processing Officer (DPO), who must be involved in any question relating to the protection of personal data and in particular must provide information and advice to the data controller or the outsourcer, monitor the application of the Regulation and cooperate with the supervisory authority.<\/p>\n\n\n\n<p>Appointing a DPO will be mandatory:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>for the public authorities or public bodies (except juridical ones),<\/li>\n\n\n\n<li>if the core activities of the data controller or outsourcer require the large\u2013scale, regular, systematic monitoring of individuals or consist of the large\u2013scale processing of special categories of sensitive data (such as racial or ethnic origin, health data, political opinions and union membership) and\/or data related to criminal convictions and offenses.<\/li>\n<\/ul>\n\n\n\n<p>In other cases, the Member States may make it mandatory to appoint a DPO.<\/p>\n\n\n\n<p>Note that the DPO is person and not a department and that he or she will have a particular status in the business or organization in terms of confidentiality, protection in the performance of his or her duties and so forth.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inform the supervisory authority and the persons concerned in case of breaches of personal data<\/strong><\/li>\n<\/ul>\n\n\n\n<p>In the event of a breach of security, the Regulation creates an obligation for the data controller<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>to so notify the supervisory authority (the CNIL) as soon as possible and no later than 72 hours after the breach becomes known and<\/li>\n\n\n\n<li>to communicate in a timely manner with the individuals concerned if the breach creates a high risk for them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">The transfer of personal data to non\u2013EU countries is restricted<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>Personal data may not be transferred outside the EU unless:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Commission rules that the non\u2013member country provides adequate protection of personal data and that individuals have enforceable rights and effective remedies (e.g., the Privacy Shield agreement between the European Union and the USA)<\/li>\n\n\n\n<li>The data controller or the processor has provided suitable safeguards, including in the case of group of companies, agreements as to the protection and transfer of data (referred to in the Regulation as \u201cbinding corporate rules\u201d)<\/li>\n\n\n\n<li>Or under certain conditions, such as that the individual has given his or her consent to the transfer after being informed of the risks, or the transfer is necessary to perform a contract or to make a legal case in court.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What sanctions are there?<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>Note first that the Regulation gives the supervisory authorities<sup>4<\/sup> investigative powers and the authority to order corrective measures (e.g., a warning, order, limitation of processing or suspension of data flows).<\/p>\n\n\n\n<p>The supervisory authorities then have the power to impose administrative fines, depending on which provisions of the Regulation were violated:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Up to \u20ac10 million or (for businesses) 2% of yearly global revenues and<\/li>\n\n\n\n<li>Up to \u20ac20 million or (for businesses) 4% of yearly global revenues<\/li>\n<\/ul>\n\n\n\n<p>In addition, an individual who has suffered harm may be compensated for it. Class actions may also be brought, depending on the laws of the nation.<sup>5<\/sup><\/p>\n\n\n\n<p>As a practical matter, this new set of regulations calls for reviewing the approach taken by businesses (and anyone else) to personal data and to re\u2013examine their practices of collecting and processing personal data and all processes that may affect personal data.<\/p>\n\n\n\n<p>This exercise needs to involve all parts of the company concerned, especially including the legal department, IS, human resources, the sales and customer relations departments, and everyone with legal and technical qualifications.<\/p>\n\n\n\n<p>Naturally, we remain at your disposal for advice and any additional information you may need.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><sup>1<\/sup> BAROM\u00c8TRE RGPD \u201cLa maturit\u00e9 des entreprises Fran\u00e7aises face au r\u00e8glement g\u00e9n\u00e9ral sur la protection des donn\u00e9es\u201d [\u201cThe Readiness of French Companies for the GDPR\u201d] April 2017 \u2013 Association Fran\u00e7aise des Correspondants \u00e0 la Protection des Donn\u00e9es \u00e0 caract\u00e8re Personnel<br><sup>2 <\/sup>The language of the bill provides exceptions, however, with regard to processing personal data (in a strictly personal or domestic context).The language of the bill provides exceptions, however, with regard to processing personal data (in a strictly personal or domestic context).<br><sup>3 <\/sup>The replacement of a name by a pseudonym<br><sup>4 <\/sup>In France, this means the Commission Nationale Informatique et Libert\u00e9s (CNIL).<br><sup>5 <\/sup>In 2016 the French legislature chose to rule out class action settlements in breaches of personal data. The bill discussed here amending the digital privacy act reintroduces this possibility.<\/h5>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Because companies do not yet appear to be fully prepared to adopt the new European regulation on the protection of personal data, we offer here a check\u2013list of changes to...<\/p>\n","protected":false},"author":24,"featured_media":0,"template":"","tags":[746,744,506],"class_list":["post-6742","insight","type-insight","status-publish","hentry","tag-gdpr-2","tag-software-data-en","tag-database-management-system"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>GDPR &amp; Personal Data : What are you doing over the next few months ? - Regimbeau<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GDPR &amp; Personal Data : What are you doing over the next few months ? - Regimbeau\" \/>\n<meta property=\"og:description\" content=\"Because companies do not yet appear to be fully prepared to adopt the new European regulation on the protection of personal data, we offer here a check\u2013list of changes to...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/\" \/>\n<meta property=\"og:site_name\" content=\"Regimbeau\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-10T09:54:00+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/insight\\\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\\\/\",\"url\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/insight\\\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\\\/\",\"name\":\"GDPR & Personal Data : What are you doing over the next few months ? - Regimbeau\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/#website\"},\"datePublished\":\"2018-02-07T14:05:00+00:00\",\"dateModified\":\"2023-11-10T09:54:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/insight\\\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/insight\\\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/insight\\\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GDPR &#038; Personal Data : What are you doing over the next few months ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/#website\",\"url\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/\",\"name\":\"Regimbeau\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/regimbeau.eliott-markus.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GDPR & Personal Data : What are you doing over the next few months ? - Regimbeau","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"GDPR & Personal Data : What are you doing over the next few months ? - Regimbeau","og_description":"Because companies do not yet appear to be fully prepared to adopt the new European regulation on the protection of personal data, we offer here a check\u2013list of changes to...","og_url":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/","og_site_name":"Regimbeau","article_modified_time":"2023-11-10T09:54:00+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/","url":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/","name":"GDPR & Personal Data : What are you doing over the next few months ? - Regimbeau","isPartOf":{"@id":"https:\/\/regimbeau.eliott-markus.cloud\/#website"},"datePublished":"2018-02-07T14:05:00+00:00","dateModified":"2023-11-10T09:54:00+00:00","breadcrumb":{"@id":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/regimbeau.eliott-markus.cloud\/en\/insight\/gdpr-personal-data-what-are-you-doing-over-the-next-few-months\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/regimbeau.eliott-markus.cloud\/en\/"},{"@type":"ListItem","position":2,"name":"GDPR &#038; Personal Data : What are you doing over the next few months ?"}]},{"@type":"WebSite","@id":"https:\/\/regimbeau.eliott-markus.cloud\/#website","url":"https:\/\/regimbeau.eliott-markus.cloud\/","name":"Regimbeau","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/regimbeau.eliott-markus.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/insight\/6742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/insight"}],"about":[{"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/types\/insight"}],"author":[{"embeddable":true,"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":0,"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/insight\/6742\/revisions"}],"wp:attachment":[{"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/media?parent=6742"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regimbeau.eliott-markus.cloud\/en\/wp-json\/wp\/v2\/tags?post=6742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}