The General Regulations on the Protection of Personal Data (GDPR) came into force in May 2018. While many companies have brought them into compliance, some are struggling to put into practice elements that seem sometimes impractical in everyday life. But then, what are the actions to be implemented? And how much will it cost me? Where do I start? Who can support me in all these changes? How can I check that I am truly GDPR compliant? What if you got all your questions answered? Here are the practices to put in place to make your compliance very concrete, regardless of the size of your business.
Step 1: Know how to spot the manipulation and processing of data in your daily life
The first step is essential and often carried out too quickly by companies: the identification of all stages of use or transmission of personal data. Concretely, this step consists in listing the places, the tools and the people targeted by the compliance.
Thus, this list contains for example: your website, the contact forms it offers or the administrators or developers of said site, customer files, your newsletter sending base, the servers containing data, but also some paper files…
Often we hear companies say that they don’t collect any information. The tracking of a simple Google Analytics is already a recovery of data from your website, so pay attention to this first point.
Step 2: Internal and external awareness
Once the census is completed, you must draw up and distribute an IT charter for the protection of personal data. This charter must be heard, understood, displayed and above all applied with a binding nature (the signing of a confidentiality agreement by people directly handling sensitive data is highly recommended). Do not hesitate to visit the CNIL website for examples.
Step 3: management of authentication and access
Here we are talking about access and user accounts. You must make sure that there is no shared account for your users (for example an admin account for the administration of your site by several collaborators).
Each user must have a username and password that is both unique, but also meets the recommendation of the CNIL (a password made up of at least 3 types of characters out of the 4 offered (uppercase, lowercase, special character , number), and with a minimum of 12 characters). This password must be renewed regularly with a binding character.
On the website side, you must secure the various contact forms via the use of captcha.
Step 4: Direct access to personal data
It is essential here to drastically limit the number of users
having access to personal data and their management. You must limit this number
and above all go over at least once a year on the list of people with
access to verify its legitimacy (people who left the company, no one
having completed a project and therefore no longer having the constraint of having access to
Step 5: Setting up a history and tracking system for the processing of personal data
What should we track down and record?
This step concerns the monitoring of changes to personal data. Any intervention on said data must lead to writing to a secure register managed by a data controller. Be accompanied by a specialized GDPR agency for this step if you do not have internal resources. You must therefore:
Identified and clarified monitoring
- Appoint a data controller and raise awareness of the issues of the GDPR;
- Log each access by users via logs. Concretely, you must be able to provide: the user identifier, the date and time of the connection, the date and time of the disconnection and the actions performed as well as the data viewed;
- Check the records at a defined rate;
- The data controller will provide the alert in the event of abnormal use of access to information being detected.
Warning on the use of tracking
Please note, this register should in no case represent a tool for monitoring the work of your employees, but only to prevent misuse of sensitive data. Also be sure to include your sedentary teams in this monitoring. In all cases, you should inform all of your teams of the implementation of this tracking.
Step 6: What about your website?
Consent collection solution.
First, the management of cookies must be manageable for each cookie taken individually. In addition, the cookie placed by Google Analytics (GA) must also be part of the consent request. Unfortunately, companies often want to keep traffic statistics for their site. In fact, it is mandatory to include GA in the system in order to be fully compliant with the recommendations. Note here that the centralized consent collection solution recommended by the CNIL is Lemon Tart.
An accessible personal data protection policy
Second, a personal data protection policy must be made public on the site. However, it should not be confused with legal notices or other information on the website. If necessary, this step can be entrusted to a web agency alongside a specialized GDPR firm.
Limitation of communication ports
In addition to securing via the HTTPS protocol, websites must also limit communication ports to the bare essentials (port 443 will be chosen for HTTPS access as the single communication port for example).
Restricted and controlled administration
To continue, the administration of the website must be limited to a limited number of collaborators, and individual access, as well as the rights for each of them.
Monthly application maintenance
Finally, your website must be maintained and maintained monthly via Third-Party Application Maintenance in order to limit security breaches and therefore malicious access to sensitive data.
Step 7: Administer data maintenance and destruction
First, your personal data processing protocol must contain all of your procedures, which ultimately allow you to prove that when data is destroyed, it is indeed destroyed. Secondly, a register lists the person’s agreement regarding said modification … Thus, the previously appointed GDPR manager will be the guarantor of the existence of such a procedure and of its practical application on a daily basis.
Step 8: Plan an internal and external continuity plan
In the case of the processing of sensitive personal data, a company must reflect, organize and then write a continuity plan, both internal and external. This procedure makes it possible to explain and organize a backup and above all data recovery plan in the event of failures (internal or malicious).
This plan indicates in particular: the person to be notified when an issue arises and the procedure to be initiated. It will also indicate the procedure for resuming activity temporarily and then securely, the associated deadlines and the ultimate recovery of the data without any loss.
Step 9: Organize a secure data transmission and exchange
Despite all this vigilance and in some cases, certain sensitive data is transferred to a third party and therefore requires an appropriate procedure. Thus, beyond the need to verify with this other entity its GDPR compliance, it is necessary to send a data encrypted beforehand with cryptographic functions).
This data is then protected by a password or a key communicated by another channel than that of the database. We take for example the case of a database for sending emails. The CSV file is therefore protected by a password sent by SMS. The file itself is sent by email.
Step 10: The future is being prepared with fresh eyes
To conclude, we stress the need to plan all of these GDPR compliance stages before your future projects. Each project must therefore plan and prevent the processing of sensitive personal data. As you can see, GDPR compliance is being prepared, put into practice and thought about at all times.
Finally, we would like to point out that all companies are affected by this regulation. If you want to know more, it’s here.
To learn more about the GDPR compliance of your emails, it’s here.