Understanding the RGPD: An overview
Find out all you need to know about General Data Protection Regulation (GDPR).
This article aims to provide you with an overview of the RGPD and familiarize you with its key terms and concepts.
Visit General Data Protection Regulation (GDPR)which came into force in May 2018, is the European legal framework governing the protection of personal data. personal data.
If you deal with personal data from the European Union (EU) or on European territory, you must comply with these regulations.
The role of the RGPD: Protecting personal data
The main purpose of the RGPD is to protect persons whose data is collected.
Thanks to European regulations, these private individuals have the right to access, rectify or delete their collected data, and to request portability.
To this end, the RGPD imposes obligations data processors. They must guarantee protection and the safety of the personal data collected and be able to demonstrate this.
What is personal data?
Personal data is information about an individual identified natural person (article 4 RGPD). The RGPD offers a broad definition of personal data to ensure maximum protection. It can be any information, direct or indirect, enabling a natural person to be identified.
This logically includes elements such as first or last name. However, it can also include information such as telephone number, social security number, DNA or even simply IP address.
It can also be a set of data enabling a person to be identified, such as location, age or purchasing behavior.
CNIL and RGPD: Data Protection Guardians
In France, the French Data Protection Authority (CNIL) is the authority responsible for overseeing compliance with the General Data Protection Regulation (GDPR). Before the RGPD came into force in 2018, the CNIL was already overseeing data protection in accordance with the Loi Informatique et Libertés of January 6, 1978, which remains in force and complements the RGPD.
The CNIL thus plays a crucial role as a "data protection watchdog. It has the power to sanction non-compliant organizations in the event of a breach, violation or complaint.
Recently, the CNIL unveiled its strategic plan for 2022/2024. In addition, the European Parliament is currently voting on a new text to regulate artificial intelligence, "theIA Act "where the CNIL asserts itself as theregulatory authority par excellence.
To whom does the RGPD apply?
The RGPD applies to any entity located in theEuropean Union or targeting individuals within the EU.
This means that all companies operating in the territory of the European Union and processing personal data are subject to the RGPD.
RGPD principles apply:
- Regardless of company size,
- Regardless of sales,
- Whether the entity is private or public,
- Whether for B2B or B2C transactions.
It is important to note that the RGPD also extends to subcontractorseven if they are not established in the EU. A processor is defined as a person or entity (usually a service provider) who processes personal data on behalf of and in accordance with the instructions of the controller.
What are the objectives of the RGPD?
The objectives of the RGPD are:
- Protecting the privacy of European citizens : The RGPD aims to ensure that individuals' personal data is processed transparently, fairly and securely, in order to protect their privacy and fundamental rights.
- Prevent unauthorized access to personal data The regulation aims to prevent data breaches by imposing appropriate security measures to protect personal information from unauthorized access, use or disclosure.
- Avoid handling that does not comply with personal data : The RGPD seeks to ensure that personal data is processed lawfully, ethically and in accordance with the principles set out in the regulation.
To achieve these goals, the RGPD establishes several fundamental rights for individuals, including:
- The right to information Individuals have the right to clear and transparent information on the collection and use of their personal data, including the purposes for which it is processed.
- The right of access Individuals have the right to access their personal data held by an organization, as well as information on how this data is processed.
- The right to object Individuals have the right to object to certain forms of processing of their personal data, such as direct marketing.
- The right of rectification Individuals have the right to request the correction of inaccurate or incomplete personal data.
- The right to be forgotten Individuals have the right to request the deletion of their personal data when it is no longer required for the purposes for which it was collected, subject to certain exceptions.
- The right to portability Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller.
These rights enable individuals to control their personal data and protect their privacy in today's digital environment.
What is the Data Protection Officer (DPO)?
Visit Data Protection Officeror Data Protection Officer (DPO)is a key player responsible for ensuring RGPD compliance within an organization.
In some cases, its designation is mandatory under thearticle 37 of the RGPD. The DPO may be an employee of the organization, or external to it.
The CNIL describes it as a " Orchestra conductor "and will be the main contact for data protection matters, in accordance with the French Data Protection Act.article 38 of the RGPD.
The DPO's responsibilities cover all matters relating to the protection of personal data, as stipulated in the French Data Protection Act.article 39 of the RGPD.
Even if the appointment of a DPO is not compulsory, it is recommended at the very least to appoint a person responsible for managing personal data. This person may not be a lawyer, although this is often the case. Specific DPO training courses are available for those with no prior legal skills.
Is the RGPD mandatory?
Yes, the GDPR is mandatory in all 28 EU member states.
Any European entity that processes personal data must comply with this regulation.
In addition, the GDPR also applies to the personal data of European citizens processed by entities located outside the EU.
The five key principles of the RGPD
Article 5 of the GDPR sets out the main principles that should guide your thinking about the data you have already collected or will be collecting:
Principle of purpose
You must limit your collection of personal data to a single, specific and identified purpose. The data must not be used for any other purpose. A purpose must be determined for each processing operation and for each legal basis.
Minimization principle
You may only use data that is necessary to achieve your objective. Other data should not be recorded. Only data relevant to achieving the objective should be collected.
Principle of limited duration
You must only keep the data collected for as long as is necessary to achieve your objective. Each processing operation must be limited in time or predetermined by reference to an event, e.g. until a customer unsubscribes to the newsletter, or 5 years after a customer leaves.
Safety principle
You must guarantee the integrity and confidentiality of the data collected. For example, no unauthorized third party should be able to access it. The security of personal data is a very important element of the RGPD.
Principle of individual rights
You must leave control of the data collected to the persons concerned by the data processing. Individuals must therefore be informed about the processing of their personal data, in particular via the Privacy Policy.
The General Regulation also requires that all the rights that individuals have be described: information, access, modification, opposition, deletion, etc. It should also be noted that, as part of the information provided to individuals, the company must also communicate about the subcontractors to whom the personal data of the individuals concerned is transferred. This is an important principle of data protection.
How to ensure compliance with the RGPD?
This involves :
- Collect only relevant data (minimization principle)
- Identify stored data and verify compliance
- Be transparent by providing clear information about the data collected
- Control the use of collected data
- Secure data collection and storage
- Identify and manage the risks associated with personal data processing
If you'd like to find out more about data protection and how we can help you, we've devoted a White Paper to it. comply with the RGPD.
Where to start?
The CNIL recommends following these 4 steps to get started:
- Set up a data processing register. The aim is to have an exhaustive cartography of the processing operations you carry out.
- Check whether the data you collect and store is necessary for your business.
- Inform us of the data you collect, and allow it to be modified, deleted or ported.
- Secure your data. You need to minimize the risk of data loss. To do this, you need to develop new reflexes concerning passwords, software updates, data encryption, backups and so on.
What are the penalties for non-compliance?
The penalties can be quite severe:
- Penalties up to 5 years' imprisonment and a fine of 300,000 euros
- Administrative penalties : injunction to cease the violation of personal data, warning and formal notice to comply with the RGPD, limitation or temporary suspension of data processing, fine of between 2 and 4% of annual sales (up to 20 million euros).
- Additional penalties In addition, the reputational impact of such a sanction on your company can have the effect of a double penalty!
It is therefore strongly advised to comply with the RGPD!
