FRANCE + 33 (0)1 86 61 01 04

 

BELGIUM +32 (0)475 98 21 15

 
 
 
 
 
 
 

All about the RGPD

Find below the obligations of the RGPD but also the answers to the questions you regularly ask yourself.

What is the RGPD?

The GDPR (General Regulation for the Protection of Personal Data) is a European regulation, which means that it came into force simultaneously on the same day, May 25, 2018, in all Member States of the European Union. It is therefore the same text that is applicable everywhere. The purpose of this regulation, as stated in its Article 1 is to establish "rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data."

The RGPD is sometimes perceived as "yet another regulation" coming from Brussels and imposed on companies and citizens. This is to miss the very innovative aspect of the RGPD which has since been imitated in many non-European countries. The RGPD was conceived in the face of the explosion of personal data collected and made available sometimes without safeguards.

  1. The purpose of the GDPR is to protect the personal data of citizens by imposing security measures on organizations that collect data
  2. Applications, websites and social networks collect and process a lot of personal data, and often users are not aware of the personal data they entrust to them for commercial purposes
  3. The "traces" left by everyone are constantly increasing. If the use of different social networking platforms is increasing, loyalty cards, surveillance cameras, etc. also collect a lot of "traces" of our behaviors
  4. Citizens are helpless in front of this collection of personal data, in front of general conditions of use so long and complex that they do not read them
  5. The RGPD regulates the use of personal data and gives back control to citizens by giving them the right to access their data, the right to rectify them and even the right to erasure.

The RGPD is built around a few major principles full of common sense to secure the use of personal data. The goal is not to prohibit but to control the collection and processing.

THE 4 MAIN PRINCIPLES OF THE RGPD

  1. MINIMIZATION OF COLLECTED DATA
    1. ONLY STRICTLY NECESSARY DATA IS COLLECTED
  2. PREVENTION AND CYBERSECURITY
    1. SECURITY MEASURES ARE PUT IN PLACE TO PROTECT DATA FROM LOSS OR THEFT
  3. TRANSPARENCY AND ACCESS RIGHTS
    1. WE EXPLAIN TO DATA SUBJECTS WHAT WE DO WITH THEIR DATA
  4. ARCHIVING AND DESTRUCTION
    1. WE DESTROY THE DATA WHEN THEY ARE NO LONGER NEEDED

All companies, associations, liberal professions, traders, public institutions, doctors, lawyers, accountants...

  • First and foremost, companies that prospect, manage data
    • B2B and B2C
    • Intermediation / brokerage
    • Numerical professions
    • Contract management
  • No one is exempt
    • No profession or institution is exempt from compliance with the RGPD. Even if certain professions are subject to a duty of confidentiality or professional secrecy, this does not prevent the GDPR from being applicable to them.
    • Some structures are less concerned since they do not collect data and have few employees; for example, local merchants who have no customer file or loyalty programs...

There are two main obligations to fulfill:

1 - Implement everything required by the RGPD

2 - Be able to demonstrate everything you have done with an GDPR compliance file.

ATTENTION, THE RGPD IS NOT ONLY ABOUT THE WEBSITE AND THE COOKIES!

iceberg
  • WEBSITE
  • COOKIES
  • CYBERSECURITY
  • RIGHT OF ACCESS
  • HUMAN RESOURCES MANAGEMENT
  • SUBCONTRACTS
  • DATA BREACH
  • DOCUMENTATION
  • RGPD FILE
  • ARCHIVING
  • PAPER DOCUMENTS
  • EXISTING DATABASES
  • IT CHARTER
  • CONFIDENTIALITY CLAUSES
  • SURVEILLANCE CAMERAS
  • STAFF TRAINING
  • Implement IT security measures to protect data
  • Put in place the necessary organizational measures to protect the data
  • Make the website compliant (privacy policies, cookie management, consent gathering, etc.)
  • Manage employee data
  • Manage subcontractors to whom personal data is entrusted
  • Put in place procedures for the right of access, rectification, etc. of the persons concerned
  • Check if the databases you have are compliant with the RGPD
  • Establish a procedure in case of theft or loss of data
  • Carry out a risk analysis if necessary
  • Mapping your data processing and completing the data processing register
secure computer

COMPUTER SECURITY

YOU ARE RESPONSIBLE FOR IMPLEMENTING COMPUTER SECURITY MEASURES TO PROTECT THE DATA

LIMIT ACCESS TO DATA

YOU MUST LIMIT ACCESS TO DATA TO THOSE WHO ABSOLUTELY NEED IT

ARCHIVING

YOU MUST DECIDE WHERE TO HOUSE THE DATA, SECURE ITS STORAGE AND DESTROY IT WHEN IT IS NO LONGER NEEDED

DATA BREACH

YOU MUST BE ABLE TO REACT IN CASE OF HACKING, LOSS OR THEFT OF DATA AND THIS WITHIN 72 HOURS

Why you need to take action

4 YEARS LATER, NO ONE IS SUPPOSED TO IGNORE THE SUBJECT

While there may have been some tolerance at the beginning, today everyone has been widely informed. It is impossible to pretend not to be aware.

THE CNIL IS INCREASINGLY INTERESTED IN SMALL AND MEDIUM-SIZED COMPANIES

  • The role of the CNIL: facilitator but also control authority
  • Priority was initially given to large groups who have now done a large part of the necessary work
  • In the event of an inspection, the CNIL can issue formal notices and in some cases impose fines
  • The CNIL's 2021 annual report counts
    • nearly 15,000 complaints
    • fines for more than 214M€ (+55% compared to 2020)
    • 384 controls
  • In April 2022, the CNIL adopted a system of simplified sanctions of up to 20,000€, especially for SMEs, VSEs and self-employed people.
video-play-icon

INDICATORS IN CLEAR PROGRESSION

The CNIL's 2021 report shows once again the growing awareness of citizens who can contact the CNIL when they feel that their rights are not being respected. The number of complaints received by the CNIL has doubled in five years, despite a stabilization during the COVID. Some of these complaints may lead to company audits.

Graph of CNIL complaints concerning the RGPD

In addition, the CNIL receives all data breach notifications reported by companies or organizations that are victims of incidents or hacks that compromise personal data. Even though a portion of these events go unreported, the number of notifications jumped by 79% in 2021.

Interestingly, over the year 2021, 26% of these notifications come from micro-businesses and 43% from SMEs. This confirms that the smallest structures are particularly exposed to attacks and sometimes insufficiently protected.

WHAT ARE THE OTHER RISKS OF INACTION?

  • First, you risk losing the trust of your customers and prospects who entrust you with their data if you do not show them that you are protecting their data
  • The other major risk is therefore the accidental leakage of data or malicious action (hacking, ransomware,...).
  • In this matter, it's a bit like "RGPD & cyber security, same fight"
  • Don't forget that taking data security into account is a requirement of the RGPD
  • You must absolutely implement security measures, whether it be at the IT level or with regard to your organization
    • At the technical level, it is necessary to think about
      • antivirus
      • efficient password system
      • software updates
      • etc.
    • At the organizational level
      • staff training
      • confidentiality clauses
      • IT charter
      • etc
video-play-icon

Good GDPR compliance therefore limits the risks of fraud and data leakage

ABOVE ALL, BEING IN COMPLIANCE BRINGS MANY CONCRETE BENEFITS

  • "Putting things in square brackets"
  • Show your clients and partners that you take the subject seriously
  • Educate your colleagues and collaborators about privacy
  • No more fear of CNIL or customer audits
  • Think about the risks related to the management of personal data
  • Implement security measures commensurate with your organization's risks
  • Collect data in compliance with regulations
  • Show on your website that you have taken privacy into account
  • To be able to respond to requests for access, rectification
  • Implement an end-of-life data archiving and destruction policy

How to comply?

WHERE TO START?

  • LAWYERS, CONSULTANTS AND OTHER SERVICE PROVIDERS SEEM TOO EXPENSIVE?
  • TOO COMPLICATED TO GO ALONE?
  • IN SHORT, YOU DON'T KNOW WHICH WAY TO TAKE IT?
labyrinth

HERE ARE SOME ALTERNATIVES TO BRING YOU INTO COMPLIANCE

  • Do nothing
  • Do everything internally using tools, supports
  • Involve a service provider (lawyer or specialized counsel)
  • Entrusting the whole thing to an external DPO

 

By weighing the "pros and cons", you will undoubtedly see that there is no perfect solution, each company/structure has a particular need, a specific context. The cost and time investment must be taken into consideration, now and in the future.

OUR TIPS FOR COMPLIANCE

  • Aim for sustainable compliance
    • Not just a "one-shot" mission
    • Rather, a program that is sustainable and can be truly integrated
      • Easier when your processes change
      • Easier to go with "homeopathic doses".
  • You can't delegate everything, it's your business, your processes, your customers etc.
    • You must have a mastery of the subject even if no one in your company is dedicated to it
    • Above all, you must be able to respect your commitments e.g. on data processing and deletion
  • A 360° approach that addresses all the RGPD issues on all dimensions
    • Not just the personal data policy
    • Not just a legal or technical approach
  • Keep it simple, aim for 80/20
    • Prioritize topics
    • Use proven models, no need to "always reinvent the wheel
    • For example, the data policy must be simple and easy to understand by the average person

GDPR FOLDER HAS REAL ASSETS TO HELP YOU IN YOUR APPROACH

  • A very affordable cost compared to the alternatives
  • You start immediately
  • You can move forward independently and complete the questionnaire
  • You quickly know where you stand
  • You have all the necessary legal documents to "adjust the shot".
  • Your RGPD file is built up as you go along
  • Etc.

GDPR FOLDER IS A SMART SOLUTION FOR YOUR COMPLIANCE

SMART visual

GDPR Folder is the solution for small and medium-sized businesses, liberal professions, associations and other public structures

 

You have a result indicator that shows you the evolution of your compliance

 

You can start immediately and in a few hours you will be able to show your efforts

 

GDPR Folder allows you to show your customers, your prospects, your employees and in case of control your compliance with the RGPD

 

Thanks to GDPR Folder, compliance becomes a rapidly attainable goal

Take 2 minutes to test yourself on the RGPD: you'll know!

Choose one of our no-obligation tests to quickly get a precise idea of the "RGPD risk" for your activity or of your level of preparation with regard to the RGPD... 

Objective: these questionnaires allow us to provide you with an insight into your activity in terms of RGPD. The results communicated and the advice shared are indicative with the sole objective of making you aware of the importance of the RGPD in your field.

How it works: these tests are free and without obligation. All you have to do is answer the few questions in the way that you think best suits your business. We ask you for your email address in order to guarantee the uniqueness of the answer and to allow us to communicate the results in a personalized way.

Data: your emails will not be given or shared with third parties for any purpose whatsoever. By clicking on the SEND button on any of the questionnaires, you agree to our Privacy Policy which you can view and download below.

Privacy Policy (for test questionnaires)

Implementation & referencing Simplébo

Connection