RGPD: How to comply?

What is the RGPD?

The General Data Protection Regulation (GDPR) is a European regulation. Voted in the European Parliament in 2016, its implementation is worldwide, and the body in charge of its respect in France is the CNIL, the National Commission for Information Technology and Liberties.

The purpose of this regulation, which challenges the practices of web professionals, is to ensure that every individual has control over and protection of the personal data they provide whenever they visit sites on the web.

What is personal data?

Personal data is any data that directly or indirectly identifies an individual:

An individual can be identified through his or her first name, last name, email address, phone number, and any type of demographic data whether it was collected on the web or directly within the company.

We can also identify him on the web thanks to purely numerical information: IP address, Browser, OS, Visits or Clicks...

What does the law say?

3 important axes stand out:

• Improving user consent when a website collects their personal data.
• Traceability and high security of user data. Reinforcement of the law regarding data security breaches, and making the company that collects them responsible for their proper storage and protection.
• The right of the Internet user to rectify, modify, delete or collect his personal data at any time.

Who is concerned?

The RGPD concerns any person, natural or legal, who would have to touch personal data of European Union citizens in the context of his professional activity.

If you collect, use or store this type of data you are in the target of this legislation and this, whatever the sector of activity or the size of your structure.

Another very important point is that even if you or your company are based, or store your data, outside the European Union, the GDPR applies to your business.

The legislation is indeed from the point of view of the Internet user: if you process data of an individual residing in one of the 28 EU members, you are concerned.

What penalties are involved?

The RGPD reinforces the system of sanctions already in place. The administrative fines detailed in the legislation are much more important. They can reach up to 4% of the turnover, and up to 20 million euros for the most serious violations.

What do you need to change on your site?

1. Update your general terms and conditions of sale (GTC), terms of use (TOU) and privacy policy

1.1 A clear privacy policy

Your privacy policy page, usually located in your footer, should now concretely explain what you do with this data .

Here are the sections that should be included in your privacy policy:

• What information does MY COMPANY collect?
• How does MY COMPANY use my information?
• How does "MY COMPANY" share my information?
• How does MY COMPANY respond to legal requests for my information?
• How do I manage my information stored in "MY COMPANY"?
• What happens if "MY COMPANY" closes my account?
• Where does "MY COMPANY" store my information?
• Which company is responsible for processing my data?
• How can I contact "MY COMPANY"?
• Use of Cookies: What cookies and similar technologies are used by MY COMPANY?

1.2 T&Cs and UGCs in accordance with the RGPD

The Terms of Use page of your website will also have to be changed in order to comply with the RGPD. It is recommended that you add your privacy policy now, with all the RGPD guidelines you have included.

Putting these elements in place on your site is first and foremost to install an atmosphere of trust.

2. Information banner and consent form 

This mechanism for collecting user consent can take the form of a banner, at a minimum, detailing in a clear and easily understandable way the personal data collected, the processing and the associated retention periods. It is important to include an "accept" button to collect the user's explicit consent before activating cookies, as well as a "choose cookies" button to provide details on each type of data collected and its purposes, and thus give the possibility of accepting the various data collections individually.

3. Review all the forms on your site

The parts of your website that will probably be the most impacted by the RGPD are the forms. It is indeeda key point of contact between you and your visitors, and it is in this precise context that they share their data with you.

It is common to use forms, especially to propose the registration to a newsletter. At this point of contact, your users share personal data with you: usually email, first name and last name

• Add a checkbox indicating that the user consents to share his/her data ("I authorize company X to save my data")
• Specify the reason for the collection of data (e.g. "Enter your email address to receive our newsletter")
• Offer users the ability to unsubscribe or access their data easily and at any time

Here is a good / bad of the future appearance of your forms (if you have a newsletter that can offer commercial offers) :

Also note that you can no longer ask a customer to leave you data that has no relation to what they are signing up for. If you ask them to sign up for a newsletter, for example, there's no need to ask them their gender or even their age. The party is over 🙂

4. Implement a data security process

It is now the responsibility of the data holder to protect it.

4.1 Create a process for deleting or modifying data

With the GDPR, each type of data now has a specific legal retention period. You are no longer allowed to keep customer or user data indefinitely without using it.

You will therefore need to set up a simple procedure that allows your users to :

• Withdraw their consent
• Access their data
• Change them
• Ask to delete them
• Request to transfer them to a third party (this is called the "right to portability")

It will be necessary to do the same on your newsletters, but also in your banners of signalling of cookies, or still in your advertising banners if you have some...

Create a specific email box, type :

privacy@votresite.com

which will allow you to receive all the requests for exercising the right of persons.

Then, upon receipt of each application:

• If you withdraw your consent, you will have to delete or modify the user's personal data as soon as possible and in all your storage locations (including the backup files of your WordPress site).
• Data portability means that you will need to export any data you have in a machine-readable format so that the person can pass their data to another entity without having to re-enter it.

The party is over 🙂

 

4.2 Preparing for a possible security breach

You will also need to ensure that you effectively guarantee the security of your users' personal data.

Here are a few things you should consider:

• It is necessary to put in place adequate measures and techniques to guarantee a high level of security for your users' data. Data encryption, pseudonymization, encryption... Your internal processes must be clear on this subject.
• You will have to inform the CNIL within 72 hours in case of a security breach. In some cases, you will even have to inform the concerned user, especially if the breach is likely to generate a high risk for his rights and freedoms.

5. Establish an internal data processing register

Before the GDPR, any company processing personal user data had to report it through a declaration or authorization system. As of May 25, this procedure is no longer necessary, and is replaced by another obligation: that of keeping a data processing register.

Your registry will need to answer three key questions about your data processing:

• WHO? Who are the people in-house who process data and, if applicable, your subcontractors.
• WHAT? To map the processing of personal data carried out by your organization (type of data collected, purposes of processing, proof of consent, information made available to the persons concerned, etc.);
• HOW? How this data is processed (transfer abroad or not, hosting or not, archiving or deleting data, etc.)

This register must be kept up to date at all times.

This register must be kept by the DPO. The DPO will replace the current Correspondant Informatique et Libertés (CIL) and will be responsible for monitoring compliance with the RGPD and cooperating with the CNIL. The DPO can be an internal or external person (lawyers, consultants...).

Going further: