GDPR – Part 2: What are the key rules to respect?
GDPR: 5 key rules and principles to know and apply!
GDPR & data processing: the key principles
The GDPR seems quite complicated? No need to panic! WS is here to enlighten you.
Between good practices, key reflexes and main principles, WS reveals the 5 Golden Rules of the General Data Protection Regulation!
In the program, we will talk about :
- Purpose of data processing
- Legality of processing personal data
- Limited retention of personal data
- Monitoring & Securing data processing activities
- Transparency & Data subject rights!
Note: In France, all GDPR principles are organized by the CNIL (Commission Nationale de l’Information et des Libertés).
At the heart of the GDPR: the purpose of each data processing
An essential principle in the respect of the GDPR: thefinalization of the processingmust be precise, pre-determined and limited.
Finalization? This is the objective that motivates the collection, recording, exploitation and cross-referencing of data for your activities. All data collection must meet legitimate and clearly defined objectives, in a way that is simple and understandable by your users.
In practice, this means that each data collected must be collected for a specific purpose, to be presented and justified to the persons concerned! This practice will assure your users that their data will not be used for anything other than the purpose to which they consented (seen, read and agreed) in the first place.
And what goes hand in hand with the finalization principle? The principle ofdata minimization!
Minimization? It means collecting only the data you really need and making sure it is accurate (and up-to-date 😉 )!
The data collected must be “adequate, relevant and limited to what is necessary” for the purpose defined for each collection.
In concrete terms, ask yourself if the data has a direct link with the objective you are pursuing (against example: the family situation during a job interview has nothing to do with the skills of a candidate!)
In short: don’t give in to curiosity (or compulsive data collection ;)) and stick to the essentials!
Licéité du traitement – les bases légales reconnues par le GDPR
Knowing the basic principles related to the purpose of the processing is good, but understanding the legal bases to build your GDPR compliance is better!
So, what are the legal bases provided by the GDPR ?
The GDPR allows you to base your collection and processing of personal data on one of the 6 legal bases provided by its article 6 (RGPD, Chapter II, Art. 6). Here are the 5 most commonly invoked legal bases:
- Consent: the user has given his agreement (free, consent & informed) to collect and process his data in relation to the stated purpose;
- Contract: data is collected and processed in the context of the preparation or execution of a contract with the user (for example: the T&C accepted by your user when subscribing to a service)
- Legitimate interest: data are collected and processed to pursue legitimate interests for your organization (statistics, commercial objectives…), in strict compliance with the rights and interests of your web users.
- The public interest mission: the processing is necessary for the execution of a public interest mission (defined by a national or international law);
- Legal obligation: the data are collected to meet a legal obligation (taxation, census, other…).
Keep in mind: One purpose and one legal basis at a time!
Each collection & processing of personal data must have its own purpose and legal basis. It is not possible to “cumulate” legal bases for the same purpose: only one must be chosen.
GDPR & collected data: best practices
Limited retention period – Define a time of use for the personal data collected
Whatever the legal basis chosen to justify the processing of your data, always make sure you follow the principle of limiting the retention of the data collected!
Because yes: our data must also have an expiration date to respect!
Keeping personal data indefinitely? No way! A retention period is defined by the data controller, depending on the purpose of the data collection.
For each data processing, you must determine :
- A fixed retention period (1 year, 5 years, 10 years…)
- Or the criterion (as objective as possible, therefore quantified and reliable) to determine the retention period (e.g. fulfilling a quantified and achievable objective, time of a contractual relationship, etc.)
Note: in some cases, the law defines this limited retention period.
A concrete case that might interest you? The retention of a prospect’s data for your product/service offer! The law sets the maximum retention period at 3 years, starting from the last contact with the prospect in question.
After this period, the data mustbe archived, deletedoranonymized.
Tracking and securing of the data used
Once is not usual – Whatever the retention period defined for your data, 2 requirements are imposed on you: that of carefully recording,tracking & securing the datayou collect and use.
- Data security & confidentiality: you must ensure the security of your premises and information systems. The protection of the integrity and confidentiality of data must be optimized as much as possible! The ABC’s? Control access to each database with a system of passwords and dedicated access rights.
- Follow the data collection & exploitation, thanks to theprocessing register: as a data controller, you must build and keep a register of the processing activities carried out under your responsibility. This monitoring of activities is to be carried out by your Data Protection Officer (or DPO), to be appointed as a referent on RDPR compliance issues.
Need to be accompanied on the design of your treatment register & on the questions related to the GDPR ? Do not hesitate to contact us, we are here to guide you!
Transparency & Respect of Users’ Rights
We cannot repeat it enough: first of all, to respect the spirit of the GDPR, transparency is the key! The obligation oftransparency of informationis a fundamental principle of the GDPR.
You must inform your users in a legal, fair and transparent way about the processing of their data. Don’t forget to also inform them about how they can exercise their rights, so they can decide whether or not they will entrust you with their data. You will find all the details about your users’ rights in our next article!
By following these principles and best practices, no doubt, you are building your GDPR compliance step by step!
Reminder – the 4 pillars of the GDPR:
1 –Purpose & Data Minimization – Collect only the data that is really necessary: what are your objectives? What data is really relevant, essential to fulfill them?
2 –Transparency– Informing users about the collection and use of their data: what data is collected? For what purpose? Who manages the collection and processing of this data?
3 –Rights– Knowing & respecting people’s rights on their data
4 –Confidentially & Security– Implement controlled access to collected data and security measures adapted to the sensitivity of the data processed
Sources, for more information:
Go to the CNIL website or to your favorite web agency!
- Little bonus, our article on GDPR compliance is online!