GDPR : A New Paradigm
The GDPR (General Data Protection Regulation) is considered as a new paradigm compared to previous European legislation on personal data because :
DPO
(can be internal or external to the company)
The appointment of a DPO (Data Protection Officer) is mandatory for public sector companies.
It is mandatory for private sector companies processing specific (sensitive) data on a large scale or profiling on a large scale
Extra-territoriality
GDPR is applicable to companies outside the European Union (i.e. whose headquarters or servers are located outside the European Union) as long as these companies target European citizens (particularly on the web)
Right to be forgotten/ to erasure
The concept of the right to be forgotten/to erasure allows the data subjects concerned to modify their digital traces in order to become actors of their digital life
Portability
This principle ensures the portability of personal data between different service providers (for example, on social networks, for service providers specialising in the provision and management of emails, or utilities)
Data protection from data protection by design and by default
Data protection by design and by default introduces data protection concepts when designing a product or service, without the need for further action on the part of the data subject (DP by default)
Accountability
The accountability principle requires the controller to show and prove that everything has been implemented in accordance with the instructions mentioned in the company’s data privacy policy
PIA
The PIA (Privacy Impact Assessment) must be carried out in a number of cases, in particular if the processing of personal data involves a high risk for the data subjects
Technical and organisational security measures
It must be ensured that adequate (appropriate) technical and organisational security measures have been put in place to protect and secure personal data
Minimisation principle
It is necessary to only collect the minimum amount of required personal data
Data breaches
Data breaches must be notified to the regulatory authority (CNIL for France) by the controller within a maximum of 72 hours. In the event of a very high risk for the data subjects, the controller may be obliged to inform each data subject individually
Fines
The level of fines for non-compliance with the GDPR can reach up to 4% of the worldwide turnover or €20 million euros of the company concerned
As part of GDPR, the consulting company Data Privacy Professionals offers you a range of services which allows you to
→ support your company with the process of becoming GDPR compliant
→ accelerate compliance with our available packages
→ train your employees and your DPO,
→ use the services of an external or outsourced DPO services (Data Protection Officer).