Published on 11 April 2019 (Updated 29 February 2024)
RGPD has been in the news a lot lately! However, even if the CNIL is giving us good information about it, we are all a little bit lost as to the concrete actions to implement to be in compliance with the RGPD.
If this is also your case, then this article is made for you!
What is the GDPR?
The General Data Protection Regulation is a European Union measure that came into effect on May 25, 2018 and is applicable to all member states. It replaces the Personal Data Protection Directive dating from 1995. The objective of its compliance is to harmonize and strengthen the protection of personal data of individuals in the European Union and to raise awareness among the various stakeholders. The European Council speaks of “giving back to citizens the control of their data while simplifying the regulatory environment for businesses.”
The main principles of the RGPD
In the era of Big Data and with a global volume of data that doubles every 3 years the fundamental principle of this new regulation is minimization. Indeed, to comply with the RGPD, it is advisable to collect as little data as possible by limiting itself to what is necessary. This information must be collected most transparently and explicitly. In addition, the user must be informed of the purpose of their use. To do this, it is necessary to put in place various measures. But what should be done in concrete terms?
The 6 obligations of RGPD compliance
1. Explicit and positive consent
The first axis to consider is explicit and positive consent. This means that the purpose of using personal data must be written as clearly and precisely as possible. Each time the user transmits data, he/she must check an “I agree” box and have access to a link to the site’s privacy policy.
Please note that the consent is valid for 13 months and it is forbidden to offer pre-ticked boxes!
FOCUS ON COOKIES
The principle of explicit and positive consent also applies to cookies, whether they collect personal data or not. To comply with the RGPD, it is therefore essential to warn Internet users before the insertion of cookies on the site. They must have the possibility to accept, refuse and personalize these cookies. Your cookie information must also contain a link to your privacy policy. The CNIL specifies that “this banner must not disappear and that continued browsing is worth an agreement to the deposit of cookies.
Note: Cookies and tracers expressly requested by the user are exempt from consent (e.g. shopping cart, authentication, choice of language…)
FOCUS ON NEWSLETTERS
When sending an email newsletter, please make sure that the mailing lists are composed of double opt-in contacts only. This means that people have requested to receive the message and have confirmed their willingness to subscribe by clicking on the link in a confirmation email. In addition, every RGPD-compliant email must have a visible unsubscribe link. In fact, the user can withdraw his consent at any time.
Note: Mailing lists should never be used for purposes other than those for which people have given their consent. Nor should they be sold or shared without their consent.
2. The right to modify, erase and transfer
The RGPD compliance imposes the implementation of solutions aiming at modifying one’s consent in a simple way.
The user must also, in any case, have the possibility to request the deletion of his personal data. For each deletion request, it will be necessary to remember to delete all stored data.
On the other hand, the site must also provide a way to restore its data quickly.
It is important to respond to requests for modification, deletion, and consultation as soon as possible (within 1 month).
3. Protection measures
The company must implement data protection measures (encryption, pseudonymization, etc.). This is known as “privacy by design”, a principle according to which each entity that processes data must guarantee the highest possible level of security.
NB: it is possible to promote the good practices of companies through certification procedures at the French and European levels and the granting of labels by the CNIL.
HIGHLIGHT ON THE DESIGNATION OF A DATA PROTECTION OFFICER FOR RGPD COMPLIANCE:
A Data Protection Officer must be appointed in the following 3 cases
- Large-scale data collection
- Public administrations
- Collection of sensitive data (health, banking information, criminal offenses…)
If your company or administration is part of the above cases, it must carry out a Privacy Impact Assessment (PIA). It will also have to notify users and the CNIL within 72 hours in case of data leakage to comply with the RGPD.
4. Updating your privacy policy / Add a “privacy” page
In order to comply with the RGPD, it is important to update its privacy policy or to add a personal data management page. This one must imperatively contain the following information:
- Your contact details, those of the site editor, those of the host
- The type of data collected
- Why are you collecting this data
- How long do you store it
- The security measures put in place to ensure their protection
5. Drafting a processing activity register
The drafting of a register of processing activities is mandatory for all companies with more than 250 employees. It is a document based on the techniques used to collect, store, and use user data (read more here)
According to the CNIL information, companies with less than 250 employees only need to mention the following information about the processing:
- Non-occasional information (example: payroll management, customer/prospect and supplier management, etc.)
- Information that is likely to involve a risk to the rights and freedoms of individuals (e.g. geolocation systems, video surveillance, etc.)
- Information involving sensitive data (e.g. health data, offenses, etc.)
6. Making Processors Accountable
This last point concerns organizations that process personal data on behalf of other companies. They will have to keep a record of the processing activities carried out on behalf of their clients (read more here).
RGPD compliance in practice
- Cookies: propose the buttons “I accept”, “I refuse” and “I personalize” + a link to your privacy policy.
- Forms: propose an “I accept” checkbox (which should not be pre-checked) + a link to your privacy policy.
- Newsletters: contacts must be double opt-in + presence of an unsubscribe link.
- Privacy policy: must contain at least an email address to contact for any request for modification, deletion or recovery of personal data (if no other means is set up).
Tips and best practices for RGPD compliance
In addition, we recommend the following plugins: Cookie First and Axeptio.
Today, some aspects of RGPD compliance are still quite unclear. Consequently, to overcome this lack of preciseness, we advise you to follow the best practices below:
- Clarify as much as possible your consent requests with a possibility of acceptance, refusal and personalization:
- Offer compliant forms with an opt-in box (not pre-ticked) and a link to the privacy policy:
- Provide a way to retrieve personal data easily:
What is the interest to comply with the RGPD?
In case of CNIL control, the RGPD imposes to be able to demonstrate its compliance at any time, under penalty of heavy sanctions which can go up to 4% of the annual turnover.
Updating and improving internal procedures continuously is therefore recommended.
Attention:
- This regulation also affects companies outside the European Union that process data relating to European residents.
- The RGPD applies to your customers but must also be implemented for your employees.
In addition to the possible sanctions, today’s Internet users are more and more sensitive to protecting their personal data, and working on its RGPD policy will help gain their trust! In addition, it will favor a better quality of the databases and thus an optimization of your marketing campaigns.
WANT TO FIND OUT MORE?
Want to be guided in the development of your RGPD compliance strategy? Don’t hesitate to contact our team.