What is GDPR ?
It is a Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation).
The General Regulation on the Protection of Personal Data (GDPR) is the European reference text for the protection and free movement of personal data. This reform aims to adapt to the new realities of digital. The GDPR, effective May 24, 2016, is applicable since May 25, 2018 throughout the European Union. In case of non-compliance with the regulations, financial penalties may be imposed, up to 20 million euros or 4% of annual turnover.
What it implies
This new European regulation involves appointing a Data Protection Officer (DPO). This appointment is mandatory for public authorities or organizations, organizations whose basic activities lead them to carry out regular and systematic monitoring of large-scale people, organizations whose core activities lead them to handle large-scale data called “Sensitive” or relating to criminal convictions and offenses.
The missions of the DPO
The DPO takes over the IT and Freedoms Correspondent but its powers are broader, and its missions are varied :
- Realize the inventory during the audit phase
- Assist the data controller on the data protection impact assessment. The completion of these analyzes by the DPO makes it possible to determine the corrective actions to be carried out and to check their execution. These analyzes also make it possible to build data processing that respects privacy and to ensure compliance with the GDPR. It intervenes when the processing of the data is likely to create a high risk for the rights and freedoms of the persons concerned. The DPO can also help the decision maker put in place ways to mitigate human rights risks.
- Design actions to raise awareness of the Computer & Freedom culture within the organization.
- Continuously monitor the compliance and proper application of the GDPR : it ensures compliance with the regulation and national data protection law.
- Be involved in all issues related to the protection of personal data
- Keep abreast of new legal requirements on data protection.
- Be the link between your organization and the CNIL (National Commission for Computing and Freedoms) in France, CNPD in Portugal or another depending of your country but also between your organization and the people whose data are collected.
- The DPO is obviously subject to an obligation of confidentiality : all information remains confidential.
Compliance with the RGPD in 6 steps :
- Choose a DPO: it can be internal or external to your organization
- Sort your organization’s data to identify personal data
- Identify potential risks and prioritize actions to be undertaken
- Measure impacts and plan a response to identified risks
- Set up and document a data management system
- Assemble the documentation to prove compliance with the GDPR
What impact for communities ?
For communities, this regulation results in permanent and dynamic compliance. For this, they must ensure and demonstrate at all times that they offer an optimal level of protection of the processed data.
Communities need to incorporate a new data protection principle as soon as the design is done (Privacy by design). They must therefore take account of good data protection practices at the design stage of the product, service or treatment.
To be able to control and demonstrate the conformity of actions carried out, communities are required to keep a record of their treatment activities. For risky treatments, they must carry out impact assessments and notify the CNIL in France or the CNPD in Portugal or other according to your country and to the persons concerned the violations of personal data.
Obligation of explicit consent when collecting data
GDPR’s text stipulates the obligation to collect the consent of the person concerned by the personal data submitted for processing. This consent must be collected before any action on the data. It consists of a manifestation of free will, specific (limited in terms of content of the treatment, enlightened and unequivocal of the person concerned). This consent must be a clear positive act.
Notification of violations
In case of personal data breach, the data controller must notify the supervisory authority of his country within 72 hours. In the event that this obligation is not respected, a justified justification must be submitted. To contact our DPO, you can send an email to firstname.lastname@example.org by mentioning “DPO” in the subject of your email.