On May 25, 2018, the General Data Protection Regulations (GDPR) will come into effect. Validated in April 2016, it strengthens the protection of citizens and therefore increases the obligations of all businesses (including e-commerce sites). Whatever their size and activity, they must now organize to be in compliance. If the company is the victim of a computer hack of its network, resulting in a leak of personal data, it will have to notify the National Commission for Information Technology and Freedoms (CNIL) within 72 hours. After this period or if it does not notify this body, the SME will have to pay a fine. Article 83.6 of the RGPD specifies that this sanction can be up to 4 of the total annual annual turnover of the previous year. However, this sanction does not apply to small and medium-sized enterprises (SMEs). Judges will take into account the means and competences of companies.
Protecting citizens
To schematize, the RGDP strengthens and generalizes Law 78-17 of January 6, 1978 relating to computer science, files and freedoms in force in France. Until now, the requirement to notify personal data breaches has only applied to electronic communications service providers. This increased pressure on businesses is explained by the aim of this regulation: to strengthen the protection of citizens. From now on, they must obtain explicit consent from the end user regarding the use or recording of their private data. They must allow the portability of personal data to users who request it. Finally, they have the right to delete their personal data by the company that processes it.
Raw data
For the majority of Small and MEDIUM-sized enterprises, compliance with the RGDP is complex. This difficulty begins as soon as the definition of “personal data” is addressed. To schematize, it is a data to identify a person: name, age, place of birth, social security number … This therefore concerns customer and prospect files, but also information about employees, temporary workers, trainees… There are also “raw data” such as browsing history, “likes” on social networks, and lessons learned (such as preferences derived from this navigation and likes). In the event of data leaks, companies will be required to notify all customers and employees by letter recommended with acknowledgement.
Employee awareness
Only a general privacy policy, involving specific organisational, legal and technical measures, can be in compliance with this regulation. Technical measures can take several forms, in particular:
- pseudonymisation: to avoid highly targeted exploitation;
- Encryption: to reduce the risk of exploiting its databases in the event of computer network hacking or laptop theft;
- backups: to ensure integrity, availability and resilience.
Even if the deadline still seems a long way off, it is essential to quickly put in place a state of affairs of the company, in order to start the following actions:
- A comprehensive inventory of internal or external media recording this type of data;
- Selecting and integrating solutions to ensure the security of this type of file;
- Raising employee awareness to incorporate these notions of privacy from the design of a new application, service or even equipment collecting data
So many more complex goals than they seem. In order to meet these challenges, small and medium-sized enterprises (SMEs) will need to surround themselves with external partners in order to advise and support them in the long term.
RGPD 2018: 11 key questions for businesses
1. Does the RGPD apply to my business?
It applies to all businesses and administrations. Regardless of their country of origin: as soon as they collect or process data from European citizens, they must comply with the RGPD. They will all have to demonstrate that they only use personal data “strictly necessary” for their activity.
2. What is the effective date of the RGPD?
Validated in April 2016, the General Data Protection Regulations (GDPR) will come into force on May 25, 2018. It will apply in the same way in the 28 Member States.
3. What is a personal data?
This is any information that identifies a natural person. This is of course the name, his date of birth, his Social Security number, his IP address, but also his email.
4. Are Sage solutions ready for the RGPD?
Sage makes every effort to ensure that its maintained products are “RGPD Ready”, i.e. they are ready for the implementation of the RGPD. Sage recommends that users check that they are using the latest versions of its software. Sage solutions in the cloud, on the other hand, will always benefit from updated versions, helping them to meet their data protection obligations.
5. What are the penalties?
The RGPD provides for fines in stages depending on the faults committed: poor record keeping, failure to notify the supervisory authority (CNIL in France), lack of impact assessments… This text specifies that this sanction can reach up to 4 of the annual world turnover against a maximum of 150,000 euros (see Art. 47 of the 1978 Act). However, judges will take into account the means and competences of companies, concerning small and medium-sized enterprises (SMEs).
6. How is the RGPD different from the 1978 Act?
It strengthens and generalizes Law 78-17 of 6 January 1978 relating to computers, files and freedoms in force in France. There are two new features. First, the RGPD generalizes the notification requirement within 72 hours. Until now, only “sensitive” companies such as telecommunications operators had to do so within 48 hours. Second, the RGPD requires companies to think about protecting personal data ahead of product or service design. In other words, as soon as you start a project, you need to plan for data security. Finally, you will need to ask users for their explicit consent (and keep proof of this) before sending them mailings.
7. How much does compliance with the RGPD cost in my company?
It all depends on the size of your business. But various measures (cost-leading) will be essential: auditing compliance with the RGPD, setting up solutions to protect this data, raising awareness among employees through training…
8. Does my company need to recruit a DPO?
The Data Protection Officer is mandatory for public authorities and certain organizations whose core activities lead them to carry out “regular and systematic monitoring of people on a large scale”, or to process data relating to “sensitive sectors” such as health, religion, political opinion or union membership, or “data related to criminal offences and convictions.” However, even when these criteria are not met, it is advisable to designate a DPO.
9. What are the missions of a DPO?
Successor of the IT and Freedoms Correspondent (CIL) next May, he will have expanded powers. As the person person person in charge of processing personal data, he will have to put in place the appropriate procedures to prevent, among other things, that it is distorted or exploited by unauthorized persons. The DPO will also need to verify that these measures are being properly implemented by all services.
10. Are my subcontractors affected by the RGPD?
yes. If you entrust your data to an IT provider or a cloud provider, you need to make sure it meets the requirements of the RGPD. This text specifies that “in the context of a treatment carried out by a subcontractor” you must only call on companies with “sufficient guarantees, especially in terms of specialized knowledge, reliability and resources.” Ideally, using a lawyer to check the contracts of your subcontractors will ensure that you do not encounter any nasty surprises.
11. Is the data my company transfers outside the EU affected by the RGPD?
The RGPD does not prohibit transfers to data centres outside the EU. The RGPD covers all companies, in the EU or outside the EU, that process data from European individuals. If a non-EU company processes data from EU citizens, it will have to ensure that the level of protection put in place is sufficient in relation to the requirements of the RGPD. If a non-EU company does not comply with EU regulations, it could be banned from all transactions in the EU until it complies with the rules.
