How do you ensure GDPR compliance?

GDPR compliance is an opportunity for any organization to examine its digital practices and services, in order to take personal data protection into consideration.

Do you need to be GDPR compliant? If so, how?

The GDPR compliance process should not be seen as a legal or technical constraint. In fact, a structure's GDPR compliance procedure depends on its activity, its tools and above all its practices around personal data. In other words, this is an opportunity for a company whatever its size, to examine its digital practices and services, so that the protection of personal data is well taken into account and it is GDPR compliant.

According to the CNIL (National Commission for Information Technology and Civil Liberties)the GDPR compliance procedure must go through a number of successive stages, implementing actions, some of which must, according to the same source, last over time in order to be most effective.

It should be stressed that from the moment personal data is processed, either from clients or employees, there is a variable level of risk in terms of GDPR. Hence the importance of consulting an expert, in particular by appointing an external DPO to handle all your GDPR matters for you. This will save you time and secure your business. You can consult one of our experts for a discussion to introduce you to the outsourced DPO service Dipeeo.

The GDPR processing register

The GDPR processing categories register is an Excel-type document that describes the categories of personal data processed by the company. For more information, you can consult our article which deals with this subject in detail.

First of all, it should be pointed out that not all companies that process personal data are obliged to produce their own GDPR processing register in order to be GDPR compliant.

According to the CNIL (National Commission for Information Technology and Civil Liberties), below 250 employees, only the following data processing operations are required:

• recurring processes (e.g. payroll, clients and supplier management, etc.);
• processing that may entail a risk to people's rights and freedoms (e.g. geolocation, video surveillance, etc.).
• processing of sensitive data (e.g. health, criminal offenses, etc.).

Treatment Register - Two categories of activity

Before setting up the GDPR processing register, every organization must identify whether it is a controller or processor, since this also enters into the GDPR compliance process.

✅ In other words, any company in the process of creating its GDPR processing register must also identify processing carried out as a processor for another structure.

The data controller's register

This is a GDPR processingregister that identifies the various processing operations carried out for the company itself, since in this case it is the data controller.

The processor register

When an organization is processorIn addition to the data controller's register, it must also keep a processor register. This register must identify all categories of processing activities carried out on behalf of the company'sB2B clients .

It should therefore be remembered that to be GDPR compliant, as soon as it processes personal data, every company must keep a GDPR processing register, which is known as a controller register. As soon as it processes personal data on behalf of another organization, it will also be obliged to keep a specific register for personal data subcontracting activities. You can download the GDPR guide for processors proposed by the CNIL (National Commission for Information Technology and Civil Liberties).

Article 30 GDPR

The CNIL (National Commission for Information Technology and Civil Liberties) has provided for the GDPR processing register in Article 30 GDPR, which participates in the documentation of compliance.

Often highlighted by the software used to digitize it, the GDPR processing register is in fact no more than a repository of the processing activities carried out to achieve GDPR compliance. In many cases, it is not mandatory.

Setting up a GDPR processing register is mandatory, according to Article 30 GDPR, from the moment personal data is processed, and this applies to all organizations regardless of their size. However, there are certain exceptions for organizations with fewer than 250 employees.

In fact, companies with fewer than 250 employees benefit from what is known in legal terms as ''a derogation'' in terms of keeping GDPR processing registers. They must set up a register that contains only the following data processing operations:

Non-occasional processing, such as prospect and clients management;

-processing that may pose a risk to the rights and freedoms of individuals, such as geolocation or surveillance systems;

-processing of sensitive data, such as health data.

⭐ To benefit from this derogation under Article 30 GDPR, the processing carried out by the organization must above all not be likely to involve a risk to the rights and freedoms of data subjects, nor to data concerning criminal convictions.

In addition to these two conditions, there are specific categories referred to in Article 9 and Article 10 that must not be involved in the processing of personal data in order to benefit from the derogation. For further details, please consult the General Data Protection Regulation. 

Drawing up yourGDPR record of processing

As with the first stage of any process, setting up a GDPR processing register begins with gathering the various information available and necessary for setting up the register. We're talking here about meetings with the various operational managers of any department or service that processes, directly or indirectly, personal data. 

In this first step, the data controller must carry out a general analysis of its website in order to identify all the data collected in online forms. You'll find more details about making a website GDPR compliant a little further on. 

The next step is to draw up a list of processing operations. Here, the company must draw up an exhaustive list of the activities that require personal data to be processed. It must use the information gathered during the interviews, and fill in a register sheet for each activity. The CNIL (National Commission for Information Technology and Civil Liberties) has decided to publish its ownGDPR record of processing to set the best example. You can consult it by clicking here

" CNIL (National Commission for Information Technology and Civil Liberties) GDPR processing register ".

Finally, having gathered the available information and drawn up the list of processing operations, we move on to the stage of analyzing the risks that may weigh on data processing. Don't forget that a GDPR compliance action plan will need to be drawn up.

GDPR compliance of the structure

The structure's GDPR compliance is a key point. It includes HR practices, sales prospecting, technical processors of business and support tools, employee awareness...

Raising employee awareness of GDPR best practices

We can't control all the employees in a structure on their practices. But we can raise awareness of GDPR best practices. You can share our article with your employees. It'll make their lives easier!

GDPR and HR rules

The subject has become one of the most sensitive as GDPR complaints filed by employees against their employers explode.

On the one hand, employers must comply with basic rules, such as only collecting data that is necessary for the smooth running of the business. In some cases, an impact analysis must be carried out to assess whether it is indeed possible to collect this information.

Employee information is also key. A comprehensive privacy policy must inform employees about the processing of personal data, Data retention periods, and employees' rights with regard to their data.

Commercial prospecting

When it comes to prospecting, first and foremost you need to be GDPR given the personal data being processed. This will enable you to protect your prospects' personal data once and also preserve their trust.

Respecting consent

According to the CNIL (National Commission for Information Technology and Civil Liberties), B-to-B prospecting is based on the company's "legitimate interest". The two conditions it imposes in this case are that the person must be informed that his or her e-mail address will be used for prospecting, and that he or she must be able to object by setting up an unsubscribe button.

On the other hand, in the B-to-C sector, the person's consent must be explicitly requested before prospecting. Furthermore, consent must be clear, free and comprehensible.

Here is an example of a consent request on a site:

You can also check out our 11 tips for better GDPR commercial prospecting.

Compliance with Data retention periods for databases

✅ To be GDPR compliant, the CNIL (National Commission for Information Technology and Civil Liberties) has defined durations that must not be exceeded in terms of Data retention of personal data. This can be either legally, on the one hand, as when we're talking about laws, decrees or regulations. On the other hand, it can be set directly by the French supervisory authority, for example, by the CNIL (National Commission for Information Technology and Civil Liberties), via recommendations or simplified standards, etc.

On this subject, you can consult our article which deals with the different Data retention periods which apply to different fields such as Sales Prospecting, Marketing, Accounting or Human Resources.

Website GDPR compliance

⭐ The website can be considered a key point in GDPR compliance. It is the point most visible to a fairly broad population of the general public.

Reason why, your website must contain important elements in order for you to be GDPR compliant.

To do this, two documents are required for proper GDPR website compliance, namely the Privacy Policy and the Cookies Policy.

What's more, there are still a number of information "mentions" to be made.

If you have a newsletter, for example, or a form that allows your prospects to sign up, this will require mentioning that if they click, they agree to receive, precisely, your newsletter. The GDPR is that simple!

Don't forget the cookies banner, which informs visitors to your site about the categories of cookies you use and, where applicable, gives them the option of deactivating them.

For more details on cookie categories, please consult our article on the subject.

How do I make my digital tool GDPR compliant?

Article 25 GDPR provides for a principle entitled ''Privacy by Design''. This principle lies at the heart of the General Data Protection RegulationGDPR). This will ensure the protection of personal data. Thanks to this, companies are now obliged to integrate this concept right from the tool design stage.

It goes without saying that the entry into force of the GDPR has required companies that have chosen to be GDPR to be more careful when it comes to the processing of personal data. 

While it's no longer mandatory to declare your website to the CNIL (National Commission for Information Technology and Civil Liberties), its GDPR compliance remains a must whenever personal data is processed. Data processing that may be in the form of a questionnaire, in the form of an order or the creation of an online account. This therefore requires the processing of personal data. In this case, any company will see itself, systematically, in the obligation to comply with GDPR and this, by applying the rules of personal data protection.

Whether you sell online, communicate on social networks or have a showcase site, taking these rules into consideration remains mandatory for your GDPR compliance.

In fact, if you have a showcase site, it will present your main activity. All you'll offer is a contact form and, probably, a subscription to your newsletter.

✅ The most important thing to remember is that you need to take certain basic personal data protection reflexes into consideration, right from the design stage of your website. Above all, access to the site's content should not be conditional on subscribing to your newsletter. 

Accountability in the event of a data breach ⚠️

Any organization that processes data must anticipate personal data breaches and implement preventive actions to respond appropriately in the event of an incident. This is also part of the GDPR procedure. Indeed, the theft of personal data is increasingly common, and every organization needs to be careful. The GDPR is there to prevent such incidents from occurring. Incidents that could impact not only organizations, but also and above all the individuals concerned. 

This time, it's Article 33 GDPR that sets out the obligations regarding data breaches. This article specifies what companies must do in terms of security in order to avoid such situations.

In this regard, according to Article 33 GDPR, every organization must put measures in place to prevent potential data breaches and, if necessary, react appropriately by trying to minimize the effects.

These measures are designed to protect not only the data controllers, since they are the first to be affected, but also the people who have been affected by the breach, by trying to minimize the damage as much as possible, as already mentioned. On the one hand, as far as data controllers are concerned, it aims to protect their information assets and enable them to subsequently secure their own data. On the other hand, it protects the people affected by the theft of personal data, to ensure that it does not cause them any damage or harm.

Managing compliance through a DPO

What is a DPO?

You've probably already asked yourself what a DPO is. Put simply, a DPO or Data Protection Officer is the conductor of GDPR compliance in terms of personal data protection.

This is the person who assists the controller or processor in the GDPR compliance process. He or she may in fact be internal (an employee of the company), or external (such as Dipeeo).

But the question is: do I have to appoint a DPO?

When is a DPO mandatory?

To answer this question, the CNIL (National Commission for Information Technology and Civil Liberties) specifies that the appointment of an external DPO is mandatory only for :

-Public authorities and bodiese.g local authorities, public establishments...)

-Organizations that regularly and systematically track people on a large scale, such as insurance companies;

Organizations processing sensitive data, i.e. genetic, biometric or health-related data, as well as data relating to criminal convictions and offenses.

It should be noted that apart from these three cases, it is still, nevertheless, recommended, even encouraged to appoint a Data Protection Officer by the CNIL (National Commission for Information Technology and Civil Liberties). All this to ensure GDPR compliance. 

Key points to check when selecting a DPO

Article 37 of the European Data Protection Regulation (GDPR ) stipulates that, for proper GDPR compliance, the DPO must be appointed on the basis of his or her professional qualities and, more specifically, legal knowledge. In other words, a DPO must have a solid grounding and strong knowledge in terms of personal data protection . In addition, he or she must have a strong capacity to carry out the tasks assigned to him or her. This covers all the tasks referred to in article 39.

✅ In this regard, the CNIL (National Commission for Information Technology and Civil Liberties) requires a list of at least five missions that a DPO must be able to handle. Taking into account the nature, context and purposes of processing, a DPO must consider all the risks associated with his or her personal data protection missions. For further details, please consult the DPO Guide published by the CNIL (National Commission for Information Technology and Civil Liberties), which deals with this subject in greater detail.

Duties of a DPO

 Speaking of missions, a DPO deals with the advice of data controller or processor based on what is dictated by the European Data Protection RegulationGDPR). In addition to advising, he or she must ensure that this regulation is complied with, as well as other provisions of Union law, and always in relation to the protection of personal data. The DPO must cooperate with and act as a point of contact for the supervisory authority and take care of conducting consultations on all matters.

 It should also be noted that it is recommended by the CNIL (National Commission for Information Technology and Civil Liberties) that the DPO be located in a member state of the European Union so that he or she can fulfill the accessibility requirement. Not forgetting that for GDPR compliance, it is necessary for the data controller and processor to publish the contact details of the Data Protection Officer and communicate them to the supervisory authority.

Conflict of interest

 It goes without saying that the DPO can work full-time or part-time on the subject.

On the other hand, when it's part-time, the DPO will have to carry out his duties in such a way that he won't be able to determine the purposes and means of a processing operation.

 The functions that are likely to give rise to a conflict with the DPO are as numerous as they are varied, i.e. the company secretary, the service manager, the general manager, the marketing department and so on.

It may be that other "lower" functions or roles in the company may also be likely to give rise to a conflict with the DPO function, for the simple reason that he will seek to apply his management's objectives rather than follow the rules on personal data protection.

Why outsource the DPO function?

 Before appointing a DPO, you need to check that he or she has the qualifications and skills required by the CNIL (National Commission for Information Technology and Civil Liberties). Once this has been done, you can move on to the stage of comparing the alternatives on the market. You can also consult our rates about this subject.

 Speaking of rates, this is the first advantage of appointing an external DPO.

Indeed, even a part-time employee will always cost more than an external DPO.

What's more, an external DPO's main function is to bring organizations into GDPR compliance. In other words, he or she is trained, certified and has the opportunity to see cases as numerous as they are varied on a day-to-day basis, bringing different organizations operating in different business sectors into compliance.

GDPR compliance risks ⚠️

For their lack of knowledge of GDPR provisions, data controllers and processors risk heavy sanctions and paying fines to the CNIL (National Commission for Information Technology and Civil Liberties)

In fact, fines for non-compliance with GDPR rules can be as high as €20 million! If it's a company, that's going to be 4% of its annual sales. It should be noted, however, that these penalties can be made public.

You can consult all the fines handed down by the CNIL (National Commission for Information Technology and Civil Liberties) to date.

On top of all that, the main risk of GDPR non-compliance essentially affects the " Business " side. In other words, for a start-up, the risk of being audited by the CNIL (National Commission for Information Technology and Civil Liberties) remains reduced.

In fact, the CNIL (National Commission for Information Technology and Civil Liberties) only carries out checks if it receives complaints from people canvassed by a company, clients, employees or competitors.... So, the larger your company, the more prospects you'll be able to reach, and the more clients you'll be able to attract.

As a result, your chances of being audited by the CNIL (National Commission for Information Technology and Civil Liberties) ) will increase.

Speaking of the business side, it's worth pointing out that the CNIL (National Commission for Information Technology and Civil Liberties) requires companies to work only with compliant organizations, which will be able to safeguard the personal data they process.

In short, when you work with a provider who is not compliant, this means that if tomorrow they lose personal data they are processing, you won't be able to do anything about it, for the simple reason that you didn't check this point before signing a contract with them.

Prospects today are increasingly savvy when it comes to GDPR compliance. An organization that isn't compliant would therefore risk not being able to turn all its leads into clients, for the simple reason that it isn't GDPR and the CNIL (National Commission for Information Technology and Civil Liberties) requires it to be. That's unfortunate, because a well-executed compliance process doesn't take a huge amount of work.

✅ You can
APPOINTMENT with one of our experts to explain this to you in detail.

European compliance

GDPR in Europe means the European Data Protection Committee (EDPS). A committee set up by the European Data Protection Regulation, its main task is to ensure that the General Data Protection Regulation is applied in the various countries that make up the European Union.

It should be noted that before the creation of the European Data Protection Committee, it was article 29 of the Directive of October 24, 1995 on data protection and the free movement of such data. The European Data Protection Committee can therefore be seen as the successor to the G29.

The European Data Protection Committee includes all the heads of the supervisory authorities of all the member states. Their representatives may also join. Not forgetting the European Data Protection Supervisor and representatives of the authorities in Norway, Iceland and Liechtenstein.

Unlike the 1995 directive, which was based on the notion of "prior formalities", the European Regulation is based on a logic of compliance. Every organization is therefore responsible, under the control and with the commitment of the regulator. Compliance is therefore based on transparency and Accountability.

  This new European regulation has given rise to several new tools:

• the processing register;
• notification of security vulnerabilities;
• treatment certification ;
• the Data Protection Officer (DPO).

The benefits of GDPR compliance

Aside from its mandatory nature, GDPR compliance also has a value-creating contribution to make, and therefore enables multiple benefits. In other words, cybersecurity is, admittedly, is a GDPR requirement, but at the same time it's an opportunity for any company to secure its business and strengthen its user trust capital.

Regardless of its size or sector of activity, any company can benefit from a number of advantages, thanks to good management of its users' personal data.

It can therefore combine GDPR compliance and value creation.  

Today's consumers are increasingly aware of, and vigilant about, the use of their personal data. In fact, thedigital economy association (ACSEL) states that eight out of ten French people are concerned about the processing of their personal data. A GDPR company is therefore more reassuring than one that isn't.

What's more, GDPR compliance ensures that users, whether consumers, suppliers or service providers, have their personal data protected. The GDPR can therefore be seen as a means of restoring trust when it comes to the commercial relationship, and thus developing Business. 

Furthermore, GDPR compliance helps to improve the brand image of any company and in any sector. In other words, GDPR strengthens the positioning of organizations that are GDPR in such a way that it becomes part of social and ethical values.

Beyond the brand image with consumers, GDPR enhances the employer brand. Turning into an HR argument, GDPR is proof of transparency and credibility and therefore positively impacts candidates and employees.

We mustn't forget that GDPR compliance saves costs that can be significant following a data leak. On this subject, large companies such as Google, Facebook, and in particular French companies such as Carrefour or RATP have already experienced the drama of personal data leaks. Although it's possible to make up for lost time, it's still very expensive.

How much does GDPR compliance cost?

Becoming GDPR compliant is a major challenge for all companies. For an organization to be GDPR compliant, it doesn't need to spend a colossal budget on it, but this question of costs is based on various criteria such as the size and nature of the data processed by way of example.

Although it's already been over four years since the General Data Protection Regulation came into force, but on the other hand, many companies are still failing to implement GDPR compliance, and for two reasons: compliance isn't free, and data processing remains complex and requires a mastery of GDPR topics.

Put simply, the cost of the GDPR compliance process depends on several parameters, including the size of the company, the sector and field of activity, and the level of adjustment required to ensure GDPR compliance.

For more details, you can make an APPOINTMENT with one of our experts to explain the subject to you. That's why it's difficult to give you an average cost for GDPR compliance, as it's impossible to assess the success of this process.

However, you can consult the rates for GDPR compliance.