GDPR social sector: key topics

GDPR compliance social sector of SSE (Social and Solidarity Economy) has several specificities. Discover them here.
What is the GDPR and the consequences for an SSE?

The General Data Protection RegulationGDPR) can be divided into several fundamental pillars.

The first pillar is information. This is everything that is visible on the website: privacy policy, cookies policy, HR policy, and also the collection of consent. The second pillar is security. This covers everything to do with penetration testing, security and information systems, in particular to prevent hacking. 

Another very important pillar that we'll be developing extensively in this article is the processor component. In fact, we're going to look at the key points for support software in the SSE sector. Structures that use this type of software are considered to be processor within the meaning of the GDPR.

The difference between subcontracting and technical service providers

processor as defined by the GDPR

The notion of processors is an essential pillar of the GDPR. Not all service providers are processors within the meaning of the GDPR. On the other hand, all processors within the meaning of the GDPR are service providers.

In practical terms, a processor in the sense of the GDPR is an organization that processes your data on your behalf. So it's like taking a ball of play dough, putting it in a box for example (data hosting) and modifying the shape of that dough a little on behalf of a structure.

Technical service providers

There may be confusion about what a provider is that is not a processor. Dipeeo is a service provider but not a processor in the sense of the GDPR , because Dipeeo will take the clay and use it on its own behalf to provide a service of its own (outsourced DPO service and GDPR support);

For example, hosting providers, service providers who handle security on your behalf, business tools, including HR, or payroll management, are considered processors within the meaning of the GDPR.

The importance of subcontracting

The notion of outsourcing is important because it's a question of Accountability. For example, if you use a tool like Siham, which is a social support software, you will be qualified as a data controller. You are therefore responsible for all personal data processing. It's up to you to decide which data processing operations will be carried out, and for how long, and so on.

One of the things that is very important in the GDPR is that you are responsible for selecting GDPR technical service providers. Particularly when you're a job placement company, for example, you need a job placement tracking business tool that's going to process data with a high degree of sensitivity. And many people are unaware of this.

If you don't check the compliance of your technical service providers, you're putting the personal data in your possession at risk . In fact, this is why the data protection agreement is an element linked to compliance, since it's a contract between you and your service provider. It commits them to data protection aspects. You're pledging your Accountability , and so it's important to have a tool and service providers who are compliant.

What are the obligations under the GDPR of a processor and the data controller?

Authorization: a fundamental element in data confidentiality

Empowerment is sometimes overlooked, but is fundamental. Not everyone can have access to all information. You need to set up a vertical and horizontal hierarchy to structure access to information (simple user, administrator, super administrator, etc.).

It's also a question of Accountability. It prevents data breaches and data leaks. Not everyone has the same level of awareness or training. So, the fact that you can choose who has access and what they have access to is fundamental and allows you to really control what's going on. Because if you don't have that, it's impossible for you to know what your employees are going to do when they use the software.

Privacy by design: Compliance of your tools/applications

Privacy by design means ensuring and checking for deviations from GDPR when a tool or application is implemented. And if there are deviations, we have to correct and develop everything that was necessary compared to what was done to be perfectly compliant.

And this includes, in particular, the aspect of data minimization. Data minimization is a very important point of the GDPR that is normally very complicated to implement.

You're only allowed to use the data you need. If you use more data, and especially unnecessary data, this poses a security problem. It's not easy to do, and that's why data minimization isn't always easy.

Respecting people's right of access

The right of access is a right that every user has. This right enables you to find out what information administrations, public or private bodies and commercial companies hold about you in their files.

If you are a controller and a beneficiary of the insertion program needs to know information, or needs to complain about a data subject, you are a controller, so it's up to you to deal with these subjects.

Today, more and more, GDPR is becoming something native to France. Access requests are exploding, and this can be a danger for a structure that responds badly to an access request: There's certain information that shouldn't be shared. 

The danger of free comment zones

When you put a free comment area in your tool or application, you can't control what your users say. And it's very difficult to set up a system that prevents specific words from being put in free comments. So it can happen that a user makes derogatory, subjective comments about a person.

The only solution to this kind of problem is to raise awareness among your teams and users.

This will help reduce these comments. It's important to note that you're responsible for your tool, so it's up to you Accountability manage these issues.

Data retention period

As controller, you are obliged to respect the Data retention period for personal data. You cannot retain data for an unlimited period. There's always a time limit on Data retention , not least because if you have a data breach, you're taking a risk! There will be a greater volume of data. So the risk of sanctions is greater. 

How can this be achieved? The tool must be able to delete or archive personal data. There are many tools that only allow you to archive. This is important because it's very hard to respect.

Maximum duration of Data retention

There are several Data retention periods for personal data. To give you an idea, one piece of data can have different durations. For example, commercial prospecting allows you to retain personal data for 3 years. If you get a client, you can use this data for the duration of your business.

You can read our article on Data retention retention periods for more information.

The difference between archiving, deleting and anonymizing personal data

When you delete personal data, you may be able to restore the data or delete it permanently. Data archiving, on the other hand, allows data to be restored. Data is not deleted.

Anonymization, on the other hand, makes all personal data anonymous and therefore unidentifiable, but this action is definitive. If you anonymize the data, it will no longer be visible in the software, of course.

The benefits of anonymization

To understand the benefits of anonymization, you need to understand what personal data is. It's data about a person, data about a company, and it's data that makes it possible to identify a person directly or indirectly.

Anonymization makes the data non-identifiable and definitive. If it's not definitive, it's pseudonymization and not anonymization. For example, a license plate is a pseudonym that puts a number in your place. On the other hand, if you had an anonymous license plate, no one would be able to find you.

And so, in a nutshell, anonymization makes it possible to retain data for statistical purposes for a long time. Because if you no longer have a personal data in your possession, you're more subject to the GDPR and therefore more subject to the Data retention period. The point of the anonymization function is to be able to retain data for statistical purposes.

The difference between Right to be forgotten and deletion

Please note that Right to be forgotten does not mean deletion. When someone requests a Right to be forgotten, you still have obligations to keep the data. For example, I bought something on a platform. I ask for a Right to be forgotten : it just means that they no longer have the right to canvass me, send me messages, etc. On the other hand, they do have the right to keep the data. On the other hand, they do have an obligation to keep the invoice with my data, otherwise in the event of a tax audit, they won't be able to justify the purchase.

So the Right to be forgotten does not mean deletion. You still have data to keep for a certain period of time for prescription purposes. And when the prescription period is over, you can anonymize the data for statistical purposes.

Best practices in relation to users

As controller, you are obliged to respect the Data retention period for personal data. You cannot retain data for an unlimited period. There's always a time limit on Data retention , not least because if you have a data breach, you're taking a risk! There will be a greater volume of data. So the risk of sanctions is greater. 

How can this be achieved? The tool must be able to delete or archive personal data. There are many tools that only allow you to archive. This is important because it's very hard to respect.

✨ Siham: Social support software ✨

The Siham software was created and developed by RézoSocial. The software helps associations and SSE players in their missions to track people's journeys (training, disability, justice...), accommodation, civic service, outreach... It's a software that tracks beneficiaries, automated administrative tasks, etc.

This article was produced thanks to the Tuesday, November 15, 2022 webinar conducted by Anne-Marie M., RézoSocial Education Manager and Raphaël Buchard, CEO of Dipeeo: votre DPO externalisé .