On April 14, 2016, the European Union adopted the General Data Protection Regulation (GDPR) intended to become the reference text for the protection of personal data within the Union.
Its provisions will become directly applicable to all Member States as from 25 May 2018, and will be followed by stricter penalties in case of non-compliance, which requires the organizations to set up a number of actions in order to be compliant. Here below are some of the novelties introduced by this regulation:
- The strengthening of the people rights (portability, forgetfulness, limitation of the treatment, legal recourse against the managers and subcontractors, repair of the damages)
- The principle of Accountability (accountability and explanation of the measures implemented to comply with the provisions of the GDPR)
- Privacy by design/by default (implementation of protection measures from the design of the data, and limitation of their treatment to a minimum, by default)
- The appointment of a Data Protection Officer (DPO)
- Evaluation of the impact of treatment operations
- The framing of profiling
- A legal basis of treatment and consent
- Expansion of the obligations of subcontractors
- The increase in the level of sanctions (up to 20M EUR or 4% of the consolidated global turnover of the previous financial year)
Audit of internal data processing and procedures on the protection of personal data
This prerequisite for the establishment of the action plan contributes to the preparation of the register of data processing activities. It will consist of an identification of the personal data held and the processing concerned, an analysis of the current level of compliance with the GDPR, an identification of gaps and a definition of an action plan.
Our approach is based on a diagnosis of the existing compliance program in order to optimize the time spent, to achieve maximum synergies and win the support of all the members of the organization.
Identification and taking into account risks
Our support will be built on a risk-based approach in order to prioritize strategic objectives and orientations. Special attention will be given to risk exposure (impacts on activities, organization and compliance with regulations) and available resources.
The assessment of the risks of non-compliance helps the organization to understand the extent of its exposure to risks, including the possibility of occurrence of these risks, the potential reasons for theirmaterialization, and the impact this would have on the organization.
Deploying a compliance program
Deloitte Société d'Avocats will assist you in deploying your GDPR compliance program through the roadmap designed for your needs.
This may include:
- The setting up of training sessions, and the empowerment of employees concerned to the requirements of the GDPR
- The establishment of an internal process for notification and management of security breaches
- The analysis and modification of information statements (privacy policy, forms or fields of data collection, contracts, TOS, GSC, etc.)
- The establishment of internal procedures for the respect of the rights of the persons concerned
- A review and modification of contracts with subcontractors
- The appointment of a DPO and the follow-up of the missions
- Assistance with the supervisory authorities (CNIL, G29, etc.) and for potential litigation
Compliance requires a coordinated and multidisciplinary approach, involving all levels of the organization, as well as third parties (suppliers, subcontractors) and is made possible through collaborators, internal processes and information systems.
Our proximity to the experts of the Deloitte network allows us to offer this multidisciplinary approach between lawyers, consultants and business experts, but also a global and coordinated approach with professionals of the Deloitte network within the European Union for any intra-community subsidiaries also subject to the compliance with the GDPR.
