The General Data Protection Regulation (GDPR) came into force on May 25, 2018, with the opportunity to summarize the novelties that this entails and the obligations of companies in the management of personal data.
What is GDPR?
This is a European text on the protection of personal data. Its objective is to unify and strengthen the regulations related to data protection within the European Union. Broadly speaking, this takes the continuity of the French law "Informatique et Libertés" (Information Liberation) of January 1978. This also makes it possible to better empower the actors who must process personal data.
All organizations are concerned as long as they are established in the European Union and their activity targets European residents.
What is personal data?
The GDPR is about personal data, which is all information associated with an identifiable person. And the identification of a person can be made via a first name / last name, an email of the type firstname@email.com, or a telephone number ...
Tip: an email of the type "contact@email.com" does not identify a natural person and is therefore not personal data.
How to get compliant in 5 steps?
1/ Identify a manager
The most basic first step, identify a manager who will take care of this compliance. This Data Protection Officer will act as a conductor to help other employees understand what to do and what not to do.
2/ List the databases
It is advisable to create a register that will list all the data processing that you carry out. This register provides an overview. It can simply be an Excel file that summarizes each data processing, the purpose of the data processing, the list of people who have access to it, and the retention period. Good news, the CNIL offers a ready-to-use model:
Download the GDPR Registry template from the CNIL
3/ Clean up
Once the register has been compiled, it is time to sort it out. Data that you should not have collected should be deleted. Here are some examples of sorting to operate:
Delete the customer databases you purchased (for example: if you purchased a prospect list)
Delete unnecessary data, even those on your employees (for example: you do not need to register if your employees have children)
Delete data that you have not used for several years (for example: is it really useful to keep the name of a customer for whom you have not intervened for 10 years?)
Also remember to remove access to certain personal data, from people who do not need it.
4/ Inform people's rights
When collecting data, the person must be informed of certain points, such as:
The reason for data collection. For example: being able to work with the client
Authorization of collection. This may be a legal obligation or it may be necessary to seek the consent of the person
The categories that have access to the data. For example: internal service, service provider, etc.
Data retention time.
The procedures for exercising the right of access, modification, and deletion. For example, a form or an email
If you transfer the data outside the European Union.
5/ Secure data
Implement good security practices. Here are some basic recommendations:
Use passwords with sufficient complexity
Create one user account per person (avoid having an account be shared between several people)
Check restriction levels between users
Securing access to premises
Consider regular backups
Good to know: you will also have to inform the persons concerned if you have suffered a computer hack, as well as the CNIL, within 72 hours after the security breach.
Organilog before and after GDPR
Good news, at Organilog we already respect many points recommended by the GDPR, such as:
The right to obtain data concerning you
The right to delete data concerning you
Our teams were already aware of computer security
Do not communicate your data to anyone
The right to be informed if we suffer a computer attack (it has never happened to us)
...
What really changes:
We are going to remove a feature that consisted of recording whether or not an email sent from the platform had been read by the recipient. Indeed, in theory, the recipient's agreement would be required to obtain this information.
Until now Organilog used a principle of archiving all data, we are going to add the possibility of actually permanently deleting data.
We will warn our users about the reason for which we record certain information such as the telephone number (cf. to be able to help via our telephone support)
Compliance checklist at Organilog
GDPR commitment: OK, we are monitoring and have made our employees aware.
Mandatory appointment of a Data Protection Officer (DPO): OK, our DPO is in charge of monitoring GDPR compliance.
Processing register: OK, our registers are maintained on a daily basis
Data Consent: OK
Sensitive data: We do not manage sensitive data
Right to erasure: OK, we delete your data if you ask us to do so
Right to portability of personal data: OK, we will transfer your data to you if you ask us to do so
Notifications in case of data leak: OK, if there should be a security breach we will keep you informed.
Expertise and security: OK, we follow good practices for security
What you need to know as a customer
Here are some recommendations from our teams. This mainly concerns you if your customers are individuals who are therefore identifiable via a first and last name.
Remember to have a sufficiently complex password
Create one user account per person
Customer consent must be requested for them to appear in your contact list
No need to import into Organilog customers for whom you have not carried out any activity for many years
Organilog allows you to filter customers by order of creation, in order to easily be able to delete those for which you no longer carry out any activity
No need to fill in fields within Organilog that you don't really need. It is not because a field exists that it must necessarily be completed in your case