Do you have a project?
Our experts will accompany you throughout your management and deployment
It is essential to ensure that your users’ data and all processing performed on it are GDPR compliant throughout the life of the project.
If, at launch or during the course of your business, you plan to launch/use a website or an application (mobile or tablet), here is a list of the six main steps to follow and implement for a privacy-friendly development within the meaning of GDPR.
1- Make yourself aware of the main principles of GDPR
If you are working in a team, it is recommended to identify a person in charge of compliance management. To do this, you have two options:<
Depending on your project and the data you collect, the appointment of a DPO may become mandatory. This is the case when you process so-called “sensitive” data and your data processing is “large-scale”.
2 – Mapping and categorizing data and processing
At each stage of your project and in a precise manner, record the processing carried out by your program, website or application. Thus, you will be able to ensure that your processing is done in compliance with GDPR.
Keeping a processing register, in addition to being mandatory depending on the data you process, allows you to have a global vision on this data, to identify and prioritize them according to the risks associated with them.
3 – Prioritization of actions and deployment
Based on the register of processing that you have set up, you must identify upstream of development the actions to be carried out in order to make your project GDPR compliant. After the identification, you will prioritize the actions and points of attention that involve risks for the data subjects involved in the collection of this data.
The points of attention include:
4 – Risk management
Among the personal data you process, some are likely to generate risks of varying degrees for the people they concern. You must then ensure that these risks are managed appropriately and in accordance with the context and regulations in force.
In some cases, a Privacy Impact Assessment (PIA) is required. This analysis allows you to ensure that these risks are appropriately controlled. Note that a PIA is mandatory when you process so-called “sensitive” personal data (medical data, ethnic data, etc.), which are likely to involve high risks for the rights and freedoms of the people they concern.
5 – Organization of internal processes respecting a charter
In order to ensure optimal compliance throughout the various and different stages of your project, make sure that all your internal procedures guarantee that the protection of the data subjects’ data is taken into account, and this on all the different components of the project. Your internal processes should also contain a component related to external events that may occur:
6 – Document your compliance
In the event of an inspection, you will have to prove your compliance with GDPR, and this at each step of your project. All the actions carried out and future actions as well as the documents related to them must be legitimized, stored and easily accessible.
To do this, you must present documentation that is up to date and consistent with your expectations and objectives in the context of your project and its deployment.
As mentioned above, you need to “Document your compliance”, to show your credentials
To comply with this, your file will need to include three main categories of documentation:
1 – Documentation on your personal data processing
2 – Documentation on informing people
3 – Documentation on contracts defining roles and responsibilities
3. Step three: bringing your processing operations into compliance
1 – Identify all your processing
Your Data Controller must keep an up-to-date data processing register, indicating for each processing:
The purpose of the data collected:
2 – Sorted and up-to-date data
When reading your processing register, you must be quickly able to define and identify whether:
3 – Informing people
Every time you collect data, whether through a form on your website, through a remote service or during an oral communication, you must obligatorily inform the person concerned about the conditions of use of their data and their rights.
In order for data to be “usable” by an organization, the data subject must first give their consent in a way that ensures that this consent meets the four cumulative criteria for consent. Thus, a data subject’s consent must be:
4 – An organization that facilitates the exercise of rights
All stakeholders (employees, subcontractors, contractors..) of an organization have rights over their data. Therefore, it is the responsibility of the Data Controller to allow these different people to exercise their rights in the simplest way possible:
All our teams of experts are trained to work in project mode.
Consequently, we are able to intervene at any time of the process to manage the compliance of an organization, whatever the size of the entity or its sector of activity.
Our flexibility and our reactivity allow us to be part of the deployment of a PMEC (Compliance Action Plan) and of an in-depth audit carried out by us, by another company or by an internal DPO.