The new General Data Protection Regulation is tightening up the personal data management practices of organisations in general, and digital players in particular.
When the regulation was published, Cegid began a compliance programme for its own solutions and internal data management is now making its expertise available to its customers. In this document, we will present the content and challenges of GDPR, with a focus on the role of the Data Protection Officer (DPO), and a summary of our expertise in the subject.
Presentation and Challenges
The 25th May 2018 saw the introduction of a new EU legislation, General Data Protection Regulation (GDPR), a new law by the European Commission. Its provisions apply in the 28 countries of the European Union to every organisation in the world that provides goods and services to European citizens, and those who store, host and handle the personal data of European residents.
The growing importance of digital technology in individuals’ everyday lives makes it easier for organisations to use personal data. Where their aims are profiling, personalisation and monetisation, these practices need to be adapted, both to improve the protection of individuals’ personal data and to help organisations to introduce standardised and transparent data governance, making it easier to run high value-added analytical programmes (know your customer and personalisation, risk and fraud management, etc.).
The aim of GDPR is to “give control back to citizens over their personal data, while also simplifying the regulatory environment for organisations”. These provisions will profoundly alter the way in which personal data are collected, managed, stored and protected for organisations.
What is personal data?
According to the European Commission: “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data..”
GDPR sets a Europe-wide harmonised regulatory framework which is directly applicable in each of the 28 member states. This common language relating to personal data protection also applies to organisations operating outside the European Union which use data concerning the activities of EU organisations and residents. The following rights have now been strengthened by GDPR:
Transparency of information and communications
The right of access to the data subject's data
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
GDPR also establishes a number of obligations for organisations:
Accountability principle: organisations must be able to demonstrate that they comply with the regulation.
Information principle: individuals must be informed of their rights and explicitly consent to the collection and processing of their personal data.
Lawfulness principle: personal data can only be collected and used for a specific and legitimate purpose necessary for the tasks of the data controller.
Minimisation principle: companies may store only those data that are strictly necessary for the performance of their activities. It is supplemented by the principle of limited conservation: data should be kept only for the period necessary for the performance of the contract (or to comply with the legal requirement for the retention of data).
Privacy by Design & Privacy by Default: data security and governance must be integrated from the product/service design phase onwards. Furthermore, security is no longer optional, but activated by default: users must no longer have to tick a box to protect their data.
Appointment of a DPO (Data Protection Officer): whenever organisations use personal data on a large scale. This is mandatory for the public sector.
Organisations must now offer individuals more control over their personal data and abide by all these obligations, or risk penalties. As a flagship measure of the new European regulation, the European Commission has significantly increased the penalties which organisations risk if their practices are not compliant. They may have to pay a fine of up to 2% of turnover or €10m (whichever is higher) in the case of a non-compliant organisation, and 4% of turnover or €20m for not respecting internet users’ rights, not to mention any damage to the company's reputation.