RGPD. You have often heard this acronym, you know that it refers to the General Data Protection Regulation, but you do not know exactly what it refers to.
However, you know that behind these four letters, there are important issues at stake for your company... In 2022, it is time to take stock of what is important for the creation of a company and for SMEs, especially in an increasingly digital market.
Are you an entrepreneur and are you confused about the RGPD? Are you wondering what your obligations are in terms of data protection?
You can consult the text of the Regulation in its entirety, or that of the law transposing it into French law, or read the documentation made available by the CNIL, or else ... you can follow these tips to be in order!
RGPD... what is it?
The acronym RGPD or GDPR in English refers to the "General Data Protection Regulation". This European Regulation of 27 April 2016 ensures the protection of individuals by defining the rules applicable to the processing and circulation of personal data. It provides a single legal framework for professionals throughout the European Union.The RGPD has been transposed into French law by a 2018 ActThis is in line with the 1978 Data Protection Act, which strengthens citizens' control over the use of their data.
1. Are you concerned by the RGPD?
Processing of this data
If you answered YES to these 4 questions, you are concerned by the respect of the rules on personal data protection.
What does it mean to process personal data?
First of all, what is personal data?The definition is very broad as it includes The term "information relating to an identified or identifiable natural person" is used in this context.
So what does it mean to process personal data?The definition is also very broad, as it includes The term "personal data processing" refers to "any operation or set of operations, whether or not by automatic means, which is performed on personal data or sets of personal data".
2. What are your obligations as a company?
As a professional, you must ensure that personal data is :
Treated in a lawful, fair and transparent manner
Accurate and up to date
Collected for specific, explicit and legitimate purposes
Adequate, relevant and limited
Kept for a reasonable period of time
Treated in such a way as to ensure their protection
What does this mean in practice?
1. You may only collect data that is strictly necessary for the purpose for which you are collecting it
Data must be collected for a specific purpose. It should not be collected "just in case" or used for other incompatible purposes.
To be sure you are not mistaken, ask yourself the right questions:
What is the purpose of my data collection? What will it be used for?
Is this goal legitimate, justified in terms of my activity?
Is this objective understandable to all?
You are a kitchen fitter and you propose to make an appointment on your website. In the online form, you ask your customers for their first name, last name and telephone number in order to achieve your objective (to arrange an appointment).
But you don't need to know their religion or their social security number.
2. You must keep your list of files up to date and regularly reassess the consistency between the data collected and your needs
You should regularly ask yourself the following question about each piece of data you collect: Is the collection of this data still necessary to achieve my goal?
You used to collect your customers' birth dates in order to send them special invitations on their birthdays. Finally, you decided to stop this type of "birthday promotion".
You no longer need to collect the dates of birth of customers.
3. You undertake to secure the storage of the data you hold
In short, you must take all the necessary precautions to avoid capture, piracy and misappropriation of files.
To do this, you can implement several measures:
- regular updating of your antivirus software;
- regular change of passwords;
- the use of complex passwords;
- encryption of your data (in certain situations).
Note: If you suffer a breach of your files containing personal data, you must report it to the CNIL within 72 hours. And if there is a risk to rights and freedoms, you must inform the persons concerned without delay.
4. You must inform the people whose data you collect
You must inform the people whose data you collect about various things:
What data do you collect?
What is the purpose of the data collection (the purpose)?
What is the legal basis for this data collection (consent of the data subject, compliance with a legal obligation...)?
Who will have access to this data (the company's internal manager, partners, etc.)?
How long will this data be kept (3 years, 5 years after the end of the contractual relationship...)?
How can people exercise their right of access, rectification, opposition, deletion, portability and limitation of processing (via a dedicated e-mail address, etc.)?
How can people exercise their right to access, rectify and delete data?
Is the data transferred outside the European Union?
Is your website RGPD compliant?
1. Legal notices must be correctly published. To find out the specifics for your situation, consult the public service website.
2. You should mention a contact method for people to exercise their rights electronically.3. Your website must respect the general recommendations of the CNIL regarding data protection.
Plan to include the "CNIL mentions", models of which are available online.
1. Access to your website should not be conditional on subscribing to your newsletter.
2. You must also include the "CNIL mentions" when subscribing to this newsletter.
1. Your site uses consent-exempt cookies
You can simply inform users of this and remind them that browser settings can allow them to block them, with potentially negative effects on the functioning of the site.Cookies that are exempt from consent are The following are not included in this list: "strictly necessary for the provision of an online communication service expressly requested by the user, or tracers that aim to enable or facilitate the transmission of the communication by electronic means".
You must inform users and obtain their consent before depositing or reading cookies or other tracers.To do this, you need to set up a "cookie banner" on your website, which meets the following requirements requirements for valid consent :
Cookies requiring prior consent are, for example, cookies related to personalised or non-personalised advertising, or related to sharing features on social networks.
3. What are the penalties for non-compliance with the RGPD?
The CNIL carries out regular checks, online or on site, at random or following complaints from users.
Penalties for non-compliance with the rules on personal data protection can range from a simple reminder to a substantial financial penalty(4% of worldwide turnover or 20 million euros).
At Digital 64, we like good advice. And when it concerns specific and important areas, such as the subject of law and privacy, we call in the experts.
We would like to thank Amélie Da Fonseca fromAstraiaandcom for this article and her many tips.
If you are looking for a marketing partner to help you create your website or digital communication, while respecting consumers, contact us.