The GDPR: what the 2018 regulation means for companies

The 2018 General Data Protection Regulation (GDPR) came into force on 25 May 2018 and companies had until 24 May 2018 to comply with the regulation. What has this meant for companies in France?

The GDPR sets out to give individuals control over their personal data and regulates enterprises processing these data.

The idea behind the GDPR is nothing new and the European Union had already set out regulations for protecting personal data through, for example, European directive no.95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

What is important about the GDPR, though, is that it is a regulation, not a directive, which is applicable and binding across the whole of the EEA.

The issue faced by businesses has been to understand exactly what their obligations are before complying within the due date.

Appointing a Data Protection Officer

An internal or external DPO must be appointed to ensure that the company is compliant with the GDPR. The DPO will be held to report any failure to comply with the regulation to the CNIL, the French body responsible for individual rights under the French Data Protection Act. The DPO is also responsible for advising on the obligations set out in the regulation.

A Data Protection Officer must be designated by any company where processing operations involve regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special categories of data and personal data relating to criminal convictions and offences, and also by a public authority processing personal data.

It will therefore be mandatory to provide the Data Protection Officer with all the resources they need to carry out their responsibilities and to check that they have the required expert knowledge of data protection and practices.

In a wider sense, DPOs are expected to build trust between the various organisations by increasing legal and information systems security


6 steps for businesses to achieve compliance

The CNIL has set out 6 steps to help businesses become compliant with the GDPR.

The first step is to appoint a Data Protection Officer. Considerable care must be taken over this appointment as the DPO’s role is pivotal.

The second and third steps involve setting up a dashboard for tracking the processing of personal data, or alternatively a register with prioritisation of actions regarding the risks represented by the data processing with regard to the rights and liberties of the people concerned

The next steps provide for managing risks by setting up internal procedures to deal with security shortcomings, requests for data rectification or a change in service providers.

The CNIL recommends keeping the documents relating to the compliance process in order to show, should it be necessary, that the company has been acting in good faith.

Companies are recommended, for example, to keep emails proving that Mr Smith or Mrs Brown have subscribed to their newsletter.

The compliance process is complex and so companies should not wait for the last minute before tackling the issue, otherwise they could leave themselves open to proceedings