Understanding GDPR: An Overview
Find out everything you need to know about the General Data Protection Regulation (RGPD).
This article aims to provide you with a general overview of the GDPR and to familiarize you with its essential terms and concepts.
The General Data Protection Regulation (GDPR), which came into force in May 2018, is the European legal framework governing the protection of personal data.
If you process personal data from the European Union (EU) or on European territory, you are required to comply with this regulation.
The role of GDPR: Protecting personal data
The GDPR is primarily intended to protect individuals whose data is collected.
Thanks to the European regulation, these natural persons have the right to access their collected data, to rectify or erase them, and to request their portability.
To this end, the GDPR imposes obligations on those responsible for processing this data. They must guarantee the protection and security of the personal data collected and be able to demonstrate this.
What is personal data?
Personal data is information relating to an identified natural person (article 4 GDPR). The GDPR provides a broad definition of personal data to ensure maximum protection. It can be any information, direct or indirect, that can identify a natural person.
This logically includes elements such as the name or first name. However, it can also include information such as the telephone number, social security number, DNA or even simply the IP address.
It can also be a set of data that can identify a person, such as location, age or purchasing behavior.
CNIL and GDPR: Guardians of Data Protection
In France, the Commission Nationale de l’Informatique et des Libertés (CNIL) is the authority responsible for supervising compliance with the General Data Protection Regulation (GDPR). Before the GDPR came into force in 2018, the CNIL already ensured data protection in accordance with the Data Protection Act of 6 January 1978, which remains in force and complements the GDPR.
The CNIL thus plays a crucial role as a “data protection policeman”. It has the power to sanction non-compliant organizations in the event of a breach, violation or complaint.
Recently, the CNIL unveiled its strategic plan for 2022/2024. Furthermore, the European Parliament is currently voting on a new text to regulate artificial intelligence, the “AI Act“, where the CNIL is asserting itself as the regulatory authority par excellence.
Who does the GDPR apply to?
The GDPR applies to any entity located in the European Union or targeting individuals within the EU.
This means that all companies operating in the European Union and processing personal data are subject to the GDPR.
The principles of the GDPR apply:
- Regardless of the size of the company,
- Regardless of turnover,
- Whether the entity is private or public,
- Whether the transactions are B2B or B2C.
It is important to note that the GDPR also extends to processors, even if they are not established in the EU. A processor is defined as a person or entity (usually a service provider) that processes personal data on behalf of and under the instructions of the controller.
What are the objectives of the GDPR?
The objectives of the GDPR are to:
- Protect the privacy of European citizens: The GDPR aims to ensure that individuals’ personal data is processed transparently, fairly and securely, in order to protect their privacy and fundamental rights.
- Prevent unauthorized access to personal data: The regulation aims to prevent data breaches by imposing appropriate security measures to protect personal information from unauthorized access, use or disclosure.
- Prevent improper handling of personal data: The GDPR seeks to ensure that personal data is processed lawfully, ethically and in accordance with the principles set out in the regulation.
To achieve these objectives, the GDPR establishes several fundamental rights for individuals, including:
- The right to information: Individuals have the right to be informed in a clear and transparent manner about the collection and use of personal data. of their personal data, including the purposes of the processing.
- The right of access: Individuals have the right to access personal data about them held by an organization, as well as information about how that data is processed.
- The right to object: Individuals have the right to object to certain forms of processing of their personal data, such as direct marketing.
- The right to rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data.
- The right to be forgotten: Individuals have the right to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, subject to certain exceptions.
- The right to portability: Individuals have the right to receive their personal data in a structured, commonly used and human-readable format by machine, and transmit them to another controller.
These rights allow individuals to control their personal data and protect their privacy in today’s digital environment.
What is the Data Protection Officer (DPO)?
The Data Protection Officer, or Data Protection Officer (DPO), is a key player responsible for ensuring compliance with the GDPR within an organization.
In some cases, his appointment is mandatory under Article 37 of the GDPR. The DPO may be an employee of the organization or be external to it.
The CNIL describes him as a “Conductor” and he will be the privileged contact for data protection, in accordance with Article 38 of the GDPR.
The responsibilities of the DPO cover all issues related to the protection of personal data, as stipulated in Article 39 of the GDPR.
Although the appointment of a DPO is not mandatory, it is recommended that at a minimum, a person responsible for managing personal data be appointed. This person may not be a lawyer, although this is often the case. Specific DPO training courses are available for those who do not have prior legal skills.
Is GDPR mandatory?
Yes, the GDPR is mandatory in all 28 EU Member States.
Any European entity that processes personal data must comply with this regulation.
In addition, the GDPR also applies to personal data of European citizens processed by entities located outside the EU.
The five key principles of the GDPR
Article 5 of the GDPR sets out the main principles that should guide your thinking about the data you have already collected or will collect:
Principle of purpose
You must limit your collection of personal data to a single, specific and identified purpose. These data must not be used for other purposes. A purpose must be determined by processing and by legal basis.
Principle of minimization
You must only use data that is necessary to achieve your objective. Other data must not be recorded. Only data that is relevant to achieve the objective must be collected.
Principle of limited duration
You must only keep the data collected for the time necessary to achieve your objective. Each processing must have a duration that is limited in time or predetermined by reference to an event, for example, until unsubscribing from the newsletter or 5 years after a customer leaves.
Security Principle
You must guarantee the integrity and confidentiality of the data collected. For example, no unauthorized third party must be able to access it. The security of personal data is a very important element of the GDPR.
Principle of the rights of individuals
You must leave control of the data collected to the persons concerned by the data processing. It is therefore necessary to inform individuals of the processing of their personal data, in particular through the Privacy Policy.
The general regulation also requires that all the rights that individuals have be described: information, access, modification, opposition, deletion, etc. It should also be noted that in terms of informing individuals, the company must also communicate on the subcontractors to whom the personal data of the persons concerned is transferred. This is an important principle of data protection.
How to ensure GDPR compliance?
To do this, it is necessary to:
- Collect only relevant data (minimization principle)
- List stored data and verify their compliance
- Be transparent by clearly informing about the data collected
- Control the use of collected data
- Secure collected and stored data
- Identify and manage the risks associated with the processing of personal data
We have dedicated a White Paper if you would like to know more about data protection and how to comply with the GDPR.
Where to start?
The CNIL recommends following these 4 steps to get started:
- Set up a data processing register. The goal is to have an exhaustive map of the processing you carry out.
- Check whether your collected and stored data is necessary for your business.
- Inform about the data you collect, allow their modification, deletion or portability.
- Secure your data. You must reduce the risk of data loss as much as possible. To do this, new reflexes must be put in place regarding passwords, software updates, data encryption, backups, etc.
What are the penalties for non-compliance?
The penalties can be quite severe:
- Criminal penalties: up to 5 years of imprisonment and a fine of 300,000 euros
- Administrative penalties: injunction to cease the violation of personal data, warning and formal notice to comply with the GDPR, limitation or temporary suspension of data processing, fine of between 2 and 4% of annual turnover (up to 20 million euros)
- Additional penalties: payment of damages in the event of material or moral damage or loss of image, without forgetting the reputational impact of such a penalty on your company which can have the effect of a double sanction!
It is therefore strongly recommended to comply with the GDPR!
