The GDPR (General Data Protection Regulation) is based on the principles of citizen consent.

The GDPR obliges companies to recast contracts with their subcontractors. Therefore, the duties of data controllers and processors have evolved. Now, the obligations of the subcontractor are transparency and traceability, the storage of the data processing register, the appointment of a Data Protection Officer (DPO) is important, internal or external could be necessary in certain cases.

Data governance consists of the overall management of the availability, relevance, usability, integrity and security of data in a company.

The governance of personal data, as it emerges from the GDPR (General Data Protection Regulation), is based on several principles which express the spirit of the European regulation. It is indeed a question of making controllers and processors responsible by strongly recommending that they comply with certain obligations.

It helps organizations manage the information they have and answer questions such as:

  • What do you have as information about us ?
  • Where does this data come from ?
  • What do you do with this information ?
  • How long will you keep them for ?
  • Are these data consistent with company policies and rules ?

Since May 25, 2018, the date of entry into application of the GDPR, the French National Data Protection Commission (CNIL) can come and check the level of compliance of organizations (companies and associations) and possibly pronounce sanctions.

The Data Protection Officer (DPO)

  • Informs and advises the data controller or the processor as well as the employees carrying out the processing on their obligations
  • Monitors compliance with national data protection regulations and law, monitors compliance
  • Centralizes the company’s data processing inventory
  • Designs awareness and training actions for staff involved in treatment operations
  • Provides advice regarding the data protection impact assessment and verifies its execution.

The collection of certain so-called sensitive data is strictly supervised by the GDPR and requires special vigilance. These are data revealing the alleged racial or ethnic origin, political opinions, religious or philosophical convictions or union membership of individuals, genetic and biometric data, data concerning health, sex life or the people’s sexual orientation, data on criminal convictions or offenses, as well as the unique national identification number (NIR or social security number).

The 4 stages of the GDPR:

  1. Create a register of your data processing
  2. Sort your data
  3. Respect people’s rights
  4. Secure your data

Tip (CNIL French Legislation):

Ask your IT manager or service provider how often your users activate the “forget password” feature each year. If this rate is low or even zero, then your password management policy is not demanding enough!

“Explicit” and “positive” consent:

Companies and organizations must give citizens more control over their private data, in particular by accepting cookies on websites and controlling the use made of the data that internet users send in contact forms. For example, it is no longer possible for the “I agree to receive the newsletter” box to be pre-checked when sending a contact form in which the email is entered.