All you need to know about GDPR and how it affects the management of personal data
Here are the answers to some of the questions you may be asking about the 2018 European General Data Protection Regulation.
Who does the RGPD really apply to?
This regulation will apply mainly to all companies established in Europe. However, all companies outside Europe, also processing data from European people, will be affected by this mandatory compliance.
What type of data is concerned? What is meant by personal data?
Personal data is represented by any information held about a person: name / first name / sex / religion / etc. This is how any company is in possession of such data, whether at the level of its internal staff, but also and especially of its customers for example.
An optimal traceability of this information must thus be able to be demonstrated and correctly described in order to reassure each party.
What can I do if I collect data from my website?
First of all, it is important to know that only businesses are concerned with the GDPR. In fact, individuals are not affected and therefore do not have this seamless traceability as to the management of personal data.
When collecting data from a website, visitors must be made aware of the intended use of their information and agree with the owner of the website. Then, the company will, of course, have to document the data tracking and guarantee that no fraudulent use has been made with them.
What is a Data Protection Officer (DPO)?
This is a new position to fill in the companies concerned by the RGPD. This person will be the chief of data protection compliance within the organisation. He or she should ensure that all processes are properly followed and that staff have been properly trained in all the relevant guidelines.
For SMEs, a full-time DPO may not be possible and would not necessarily be consistent given the size of the company. This is why they can call on an “external” DPO, mandated to perform this control mission.
Is there a label to ensure that I comply with the GDPR?
There is currently no official label that guarantees that an organisation is 100% compliant. Random internal checks may occur within your company. In addition, competent authorities can audit your company and thus provide you with a complete report on the current status and opportunities for improvement.
What should be done in case of data loss or GDPR offence?
It is necessary to send as soon as possible (at the latest within 72 hours) to the competent authority, which will then analyse your response to this loss of data and put in place solutions to avoid risking another recurrence in the future.
What are the penalties given for GDPR non-compliance?
The arrival of the RGPD represents a huge workload for the companies involved. The maximum penalties can be up to 4% of the global turnover or 20 million euros.