The GDPR or Regulation No. 2016/679, also known as the General Data Protection Regulation, is the European reference text for the protection of personal data.
It will be applicable from 25 May 2018 in all the Member States of the European Union, with the aim of strengthening the rights of natural persons to the protection of personal data, while ensuring the proper functioning of the internal market with the protection of personal data with a free movement of personal data.
It will apply when a data controller or its subcontractor is established on the territory of the European Union or that a resident of the European Union is directly targeted by a processing of personal data.
The main provisions of the GDPR
It harmonises all the rules applicable to the processing of personal data throughout the European Union.
The regulation will apply to companies and organizations established in or outside the European Union that process data on the activities of EU organizations. Non-European companies will also be subject to the regulation if they target EU residents through profiling or offer goods and services to European residents.
European citizens must give explicit and positive consent to companies or organizations wishing to collect personal data. They have the right to receive personal data concerning them that they have provided to a controller, a right to erasure (right to be forgotten) and a right to portability of personal data (Article 20).
The European regulation defines the principle of “data protection from conception” which requires organizations to take into account personal data protection requirements when designing products, services and systems that use personal data. In addition, the regulation lays down the new “default security” rule which requires any organization to have a secure information system (Article 25 of the Regulation).
Companies and organizations will be required to notify the national protection authority as soon as possible in the event of serious data breaches so that users can take appropriate measures (Article 33 of the Regulation).
Data Protection Officer (DPO)
The appointment of a delegate is mandatory when:
- the processing is carried out by a public authority or a public body, with the exception of the courts acting in the exercise of their jurisdictional function “(Article 37). Are concerned the State, Territorial Communities, Departments, Regions and Public Institutions (hospitals, universities, …).
- the basic activities of the controller or processor consist of processing operations which, by their nature, scope and / or purpose, require regular and systematic large-scale monitoring of the persons concerned.
the basic activities of the controller or processor consist of large-scale processing of particular categories of data referred to in Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10. “(Article 37 (1) (c)) This refers to” sensitive “data, particularly data relating to the state of health of individuals, their state of fragility, or personal data relating to offenses and convictions.
The Data Protection Officer must be involved in all data protection issues. Its main tasks are to monitor compliance with the regulations, advise the controller on its application and act as a point of contact with the supervisory authority, to respond to requests from people who wish to exercise their rights.
All activities that may have significant consequences for the protection of personal data will have to be preceded by a privacy impact study which must also include measures to reduce the potential consequences of potential damage to the protection of personal data. . The Data Protection Officer will have to consult the supervisory authority before implementing the activities in question (Article 35 of the Regulation).
He may perform his duties on the basis of a service contract, as an outsourced delegate. This function can be shared between several SMEs / SMIs or small communities.
The GDPR gives regulators the power to impose financial penalties of up to 4% of a company’s annual global turnover or € 20 million (whichever is greater), in case of no -respect (Article 83 (6) of the Regulation.
GDPR Compliance with KRYPTSYS
Strictly bound to professional secrecy and strong of our expertise in data protection, we can intervene like DPO (Data Protection Officer) in the compliance and in the management of the conformity.
This will lead the compliance project by:
- compliance tests.
- a compliance audit.
- the impact study.
- a compliance plan.
- regular reporting to senior management.
- by obtaining a label CNIL RGPD.
This phase, which comes after compliance, includes:
- the management of the treatment register.
- data and treatment management.
- the management of subcontractors.
- assistance and control.
- user awareness.
- the RGDP compliance monitoring dashboard.
KRYPTSYS, your outsourced DPO
May 25, 2018 is tomorrow. Do not wait.
Contact us * to start the nomination of your DPO.