The General Data Protection Regulation (GDPR), a European regulatory framework for the processing and circulation of personal data, came into force on 25 May 2018 and governs the way that EGERIE manages data that we may collect from you.
Article 32 specifies that the protection of personal data requires "appropriate technical and organizational measures to ensure a level of security adapted to the risk". Such an approach allows for objective decision-making and the determination of measures that are strictly necessary and appropriate to the context.
Several key concepts outlined below will give you a better understanding of the scope of the regulation :
« Consent must be given by a clear positive act by which the person concerned freely, specifically, informed and unequivocally agrees to the treatment of personal data about him, for example by means of a written statement, including electronically, or an oral statement ».
« Privacy By Design »
« Treatment managers must implement all technical and organizational measures necessary to respect the protection of personal data, from the design of the product or service ».
The designation of a DPO
« Companies dealing with sensitive and/or large-scale data are required to designate a DPO Data Protection Officer (DPO translated into French as Data Protection Delegate) ».
Personal data (DCP)
This is "any information relating to an identified or identifiable individual” (...) "names and surnames, identifiers, identification numbers, phones, emails, behavioral data as long as they can be linked to an individual...”.
« Denotes data collection, access, storage, handling, destruction and remote consultation ».
With the concept of "Accountability" the GDPR places data protection at the heart of corporate strategy and culture.
The subject can no longer be considered a mere digital one but raises the fundamental question of trust. It is also an opportunity to rethink, at the highest level, the economic models around the valuation of the data.
Article 24 of the GDPR - Accountability: "(...) the person in charge of the treatment implements appropriate organizational measures (...) to ensure and be able to demonstrate that the treatment is being carried out in accordance with this regulation. These measures are reviewed and updated if necessary. »
These measures include:
The implementation of appropriate data protection policies by the processing manager
The application of an approved code of conduct or certification mechanisms
Faced with the scale and recurrence of actions to be carried out in more or less complex and decentralized environments, the DPO (Data Protection Officer translated into French by “Delegate for Data Protection”) must rely on operational tools to orchestrate the application, monitoring and verification of the rules governing the processing of personal data.
Article 39 Of the GDPR - Mission of the Data Protection Officer (DPO) :
« He advises the person in charge of treatment and monitors compliance with regulations, data protection regulations and the internal rules of the person in charge of processing or sub-treatment ».
Article 30 Of the GDPR - Register of Processing Activities :
« Each processing manager maintains a record of treatment activities that describes, among other things, the categories of personal data ».
Under the GDPR, companies need to put in place a risk management system. Impact analysis is an integral part of this system. It can detect risks to see if they are acceptable or not.
Article 35 of the GDPR - Data Protection Impact Analysis :
« The treatment manager must perform an impact assessment when a type of treatment is likely to pose a high risk to the rights and freedoms of individuals. »
In addition, the data protection impact analysis must "at least contain a description of the treatment and its purposes, an assessment of the need and proportionality of processing operations, an assessment of risks [...] and the measures envisaged to address these risks and comply with the regulations".