Since May 25, 2018, the GDPR has entered into force in the member countries of the EU, replacing the Data Protection Act of 1978 and the directive of October 24, 1995. The GDPR, General Regulations for the Protection of Personal Data, is a new European regulation which strengthens and protects the personal data of any person, and which puts in place new obligations for those who take care of processing this data…

Everyone is affected by this new regulation. Whether it be :

  • European citizens who wish to protect and have control over their personal information;
  • Or any company, association, administration, organization, platform that collects and stores this data to identify a person (name, address, location, IP address, etc.).

Data collection is now regulated. Indeed, the GDPR imposes a certain number of obligations to be observed for those responsible for processing this information. Here they are in 10 points.

Data register

Set up and maintain a data processing register, which replaces the declaration to the CNIL. It is now the company that is responsible and guarantor of the privacy of the people who give their information, so it is up to you to demonstrate that it is in compliance with the GDPR. In case of violation or failure in the processing of this data, you will be obliged to notify the CNIL.

Data protection officer

It is mandatory to appoint a data protection officer (DPO or DPD) to ensure the implementation and compliance with the RGPD, and to communicate the contact, by email for example, to all the people in the file . The compliance period for companies is set at 2 years before the control of the proper implementation of the GDPR begins.

Transparent information

All consumers / customers must be informed in a clear, precise, transparent and accessible manner of the processing of their personal data. Indeed, he is entitled to know for what reason (s) his information is used, who has access to it and how long it is kept.

He must also be aware of his rights concerning his data: right of access, rectification, unsubscription, minimization, opposition, portability or even withdrawal of consent.

If you have a customer file in your company, send an e-mail to that effect and to immediately inform them.

Right to forget and erase

Each person concerned by the processing of his data can request that his information be erased according to the list of reasons present in article 17 of the GDPR. The data controller concerned will then have to delete them as soon as possible.

Consent

Any data processing must be subject to the express consent and authorization of the customer or consumer, proof of which must be kept. Requests for information cannot be made to persons under the age of 16, a legal representative must be contacted in this case.

Data security and protection

Set up consistent and effective security measures for data protection. As soon as there is a security breach or data breach, which can entail a high risk for the user’s privacy, it is essential to notify the CNIL, the authorities and the persons concerned directly.

Proportionate and minimized data collection

Only the data necessary for the desired purpose should be collected. In addition, they must be relevant, directly related to the use to which they are put. Don’t ask for superfluous information! It is longer for the consumer who can be quickly discouraged by your form, it is useless and it is now reprehensible!

Storage time

The data retention period must be limited in time. In addition, any contact that has been inactive for 3 years must be deleted from the database.

territoriality

The data collected must imperatively remain in Europe. Or if this is not the case, they must be subject to special precautions (guarantees, authorizations).

sanctions

Before, non-compliance with the Data Protection Act could cost up to 150,000 euros. Now, with the implementation of the GDPR, the fine may rise to 20 million euros or 4% of the turnover of the company concerned.

Despite all these constraints and restrictions, the GDPR remains an opportunity for companies to strengthen the security of the information they store, and to limit data loss or the risk of hacking. In addition, customers will be more reassured and more confident about your business, so they will give their personal information more easily, which will allow you to facilitate your exchanges with them, and thus better understand their needs.

The time of mass marketing, not targeted, whether by email or addressed mail for example, is going to take a hold in the wing. And this is certainly good news for advertising which will then have to be more suitable and less invasive. Brands will be forced to be more careful about the relationship they have with their customers.

About the Author

Thibault LALOUETTE

Director and founder of Kamelecom
Communication and advertising consultancy agency
Lille (59)

www.kamelecom.fr