How to comply with the GDPR?

All structures (private companies, public companies, associations, …) handling personal data concerning European citizens must comply with the GDPR.

Here is the procedure to follow to start your GDPR compliance :

1. Conducting a GDPR audit
2. Create a data log : this log keeps track of the entire compliance process, so it is essential to keep it up to date as you move forward with your GDPR compliance
3. Organize the storage of your data: structuring and rationalizing them while ensuring the level of data security.
4. Assessing and documenting the risks of data collection on the privacy of data subjects by carrying out a Privacy Impact Assessment (PIA)

As a first step, it is necessary to understand the legal framework of the General European Data Protection Regulation. In order to be able to apply the rules of the GDPR, it is necessary to understand the legislation and the consequences of non-compliance.

The General Data Protection Regulation is the new reference text in the European Union regarding personal data.

With the explosion of digital technology, the emergence of new uses and the implementation of new business models, it has become necessary to harmonize European legal rules on the protection of personal data. This general European data protection regulation therefore applies to all member states of the European Union. It also applies to foreign companies that process the personal data of European citizens.

The GDPR aims to protect the personal data of internet users. Indeed, with the implementation of the GDPR, it is compulsory to obtain the prior consent of the persons concerned if the company wants to be able to collect their personal data.

The General Data Protection Regulation imposes a number of obligations to be respected :

• The principle of Accountability: this is the obligation for the company to make every effort to comply with the
• Privacy By Design: this involves protecting personal data from the very beginning of a project to collect and process personal data
• Keep a record of personal data processing.
• Make data security in your company a top priority
• Notify the CNIL in case of data leaks
• Naming a DPO in some cases
• Carrying out a privacy impact assessment (PIA) for each data processing operation
• Inform company employees about GDPR and cybersecurity.
• Make sure that your company’s subcontractors apply the GDPR if they have access to company data (personal data of your employees, customers, prospects, ).

In addition to the obligations set out in the GDPR, we recommend that you put in place the following elements in order to avoid any sanction from the CNIL and to ensure your compliance with the GDPR :

• Establish a real protection of personal data
• Be transparent to the data subjects : inform them about the purpose of the processing of these data
• Have obtained the clear and precise prior consent of the persons concerned by the collection and processing of personal
• Raise awareness and train your company’s staff on GDPR and cybersecurity.
• Have a data backup plan in case of a data breach or cybersecurity attack, which will also provide evidence in the event of a data protection authority inspection.