General Data Protection Regulation, are you ready ?

If you have a contact form or customer registration form on your site, for example, you are collecting personal data. Without specific action on your part, you will be illegal on 25 May.

The balance of justice regarding the RGPD
Are you ready for the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It’s a bit technical, but ICE DEVELOPMENT explains everything: your responsibilities, the risks and above all what you absolutely must do between now and the 25th.

Why is the European Commission introducing the RGPD ?

To strengthen the rights of Internet users

From 25 May, Internet users will be able to exercise the following 4 fundamental rights :

  • The right to inspect : They must be informed of the nature of the data collected and how it is used.
  • The right to object : They may request the total deletion of their data at any time.
  • The right to recover this data and pass it on to a third party.
  • The right of access: They can have access to their data whenever they wish.

Co-responsibility :

You are a customer of Ice Development and we store your customers’ data on our servers. You are therefore a data controller and we are not only your partner but also your processor.

The RGPD makes the data controller and its processor jointly responsible. The latter will have as many responsibilities and obligations as the company responsible for data processing. Transparency and trust will be the cornerstones of this relationship.

Who does the GDPR apply to ?

The RGPD applies to all organisations, private or public, that process data, provided that :

  • The organisation is established in Europe
  • The organisation processes the data of European citizens

What are your obligations in terms of information ?

Mandatory information

The form proposed by the CNIL containing all the information that must be made available to customers so that they are fully aware of their rights and of the players involved in the recovery and processing of their data.

To generate your mandatory information, you can use the CNIL generator by clicking here.

Cookies

When a web page is opened, it is no longer permitted to force users to accept cookies. “Accept” or “refuse” buttons must be visible and the related message must be understandable to a child. A link to the legal notice explaining why and how cookies are used is recommended.


Displaying a cookie banner that does not comply with standards
Affichage d’une bannière de cookies non conforme aux normes
The display of a banner concerning cookies that complies with standards
Displaying a cookie banner that complies with standards

Forms

For each item of personal data collected, you must define a clear and precise purpose and set a time limit for storing the data. These objectives and storage limits must be displayed on the site and the terms used must be understandable to children.


A contact form that does not comply with the RGPD without the required information and without links to the privacy policy.
The same RGPD-compliant contact form with legal information and access to the privacy policy pages.

An RGPD-compliant contact form with legal information and access to privacy policy pages
The same RGPD-compliant contact form with legal information and access to the privacy policy pages.

The data protection officer

The appointment of a data protection officer is compulsory if your organisation :

  • Is a public entity.
  • Carries out regular and systematic monitoring of individuals on a large scale.
  • Carries out sensitive processing or processing related to criminal convictions and offences.

It is nevertheless advisable to appoint a data protection officer whom your customers or employees can contact at any time to assert their rights.

The Data Protection Officer can be :

  • An employee.
  • A contractual service provider.
  • A specialist company.

Your responsibilities and obligations

Prioritising your actions

A company that processes data must be organised to comply with the law. To do this, the organisation must list and prioritise all the data processing actions it undertakes. This list is then made available in the site’s legal notices.

List the events that may occur

Like the fire alert protocol, you must always anticipate the worst. A structure that recovers or processes data must be alert to any potential fault. Listing the events that may occur is one way of putting in place action protocols and dealing with problems quickly and in an organised manner.

The two mandatory documents in the event of an inspection

1. Contract between your company and a subcontractor

The contract must include mandatory clauses :

  • The purpose of the processing
  • The nature and purpose of the processing
  • The type of personal data and the categories of data subjects
  • The obligations and rights of the data controller
  • At the end of the service, all data must be deleted or returned to your customer
  • At the end of the service, it is necessary to destroy all existing copies unless there is a legal obligation to retain them (if the country concerned has made this a law).

2. Traceability register

The traceability register is mandatory. It must include all information relating to the recovery and processing of data. You must list all the activities in your company that require data to be processed (training, payroll management, canvassing, etc.).
For each data processing activity, you must define :

  • The objective
  • List the data collected by category
  • Who has access to the data
  • How long the data is kept

Download the model register proposed by the CNIL.

Processing risky data

Processing sensitive data is considered to be risky data processing, since it may have a direct impact on the privacy of the individuals concerned.

Sensitive data

Data is said to be sensitive when it :

  • relates to sexual orientation
  • relates to political, religious or trade union membership
  • concerns biometric or genetic data
  • reveals racial or ethnic origin

Processing risky data

Data processing has effects that may be considered risky when the processing :

  • Leads to the rating of a person.
  • Involves a large-scale database.
  • Excludes a person from a right, benefit or service.
  • Enables innovation or the application of new technologies (e.g. connected objects).
  • Targets vulnerable individuals (e.g. minors).
  • Implements automated decision-making.
  • Applies to a personal surveillance service.
  • Falls within the field of health.

These types of processing require you to draw up a document analysing the impact of your data processing.

Analysing the impact of your data processing

It is your responsibility to draw up this document, and it is our duty to support you throughout the process and do everything we can to provide you with the necessary information.

This document must include :

  • A description of all the processing operations envisaged and their purposes.
  • An assessment and ranking of the risks to the rights and freedoms of data subjects.
  • The measures envisaged to address the risks, by means of security measures and mechanisms designed to ensure the protection of personal data.

Subcontracting

Who are the subcontractors?

  • IT service providers (hosting, maintenance, etc.), software integrators, IT security companies and digital services companies that have access to data.
  • Marketing or communications agencies that process personal data on behalf of customers.
  • Any organisation offering a service involving the processing of personal data on behalf of another organisation.
  • A public body or an association may also receive such a qualification.

The obligations of the subcontractor

A duty of transparency and traceability:

  • The processing must only be carried out on documented instructions from the data controller
  • Make available to the data controller all the information necessary to demonstrate compliance with obligations
  • Create a traceability register of exchanges and actions carried out, in case of control by the authorities.

Guarantee compliance with legal requirements :

  • Ensure that persons authorized to process the data are subject to confidentiality standards
  • Guarantee that only the data processed are necessary with regard to the quantity and extent of their processing and the duration of retention and the number of people who will have access to it.

Ensure the security of stored data :

  • Notification to the data controller of any breach is mandatory
  • Take all necessary measures to ensure a level of security appropriate to the risk

A duty of assistance, alert, and advice :

  • Assistance: When an individual wishes to exercise their rights regarding data, the subcontractor must do everything possible to assist the data controller in responding to this request
  • Alert : If the data controller’s request constitutes a violation, the subcontractor must immediately inform them
  • Advice : The duty to assist the data controller in ensuring compliance with obligations regarding the security of processing.

Check the subcontractor’s guide on the CNIL website.

The penalties

2 types of penalties applicable depending on your turnover, noting that the larger of the two amounts will be applied :

  • In case of failure to comply with the basic principles, the fine can reach 10 million Euros or 2% of your global turnover.
  • In the case of non-compliance with users’ rights, the fine can reach 20 million Euros or 4% of your global turnover.

Are you ready for the GDPR ?

  1. Have you appointed a person responsible for the governance of your organization’s data ?
  2. Have you implemented a traceability register of all actions related to data processing ?
  3. If so, have you included in the traceability register a list of the actions taken and prioritized them regarding the processing of your customers’ data ?
  4. Have you written the impact assessment of your data processing in case of “risky” data processing ?
  5. If so, have you identified and taken into account all the events that can occur during processing ? (security breaches, changes in the collected data, changes in service providers…)
  6. If so, have you identified the high risks associated with your data processing?

If you haven’t answered “yes” to all the questions

contact us immediately to prepare your compliance in view of May 25th.