Compliance with the General Data Protection Regulation (GDPR) is essential for all companies handling personal data in Europe.
Coming into force in 2018, the RGPD establishes strict obligations to ensure that individuals' information is collected, stored and used securely and transparently.
However, complying with all the requirements of the RGPD can seem complex. A structured approach, based on regular testing and systematic checks, is essential to assess and maintain your compliance.
So what do you actually need to test and verify?
In this article, discover a complete checklist to support you in your RGPD compliance process.
What is the RGPD?
The General Data Protection Regulation (GDPR) is a European regulatory text that harmonizes the processing of personal data throughout the European Union (EU).
This regulation makes companies responsible for the collection, storage, use and transfer of personal data. It aims to defend the data rights of European citizens.
Each person concerned can :
- Request deletion of personal data,
- Know where this information is stored,
- Understand how they are used.
Consequences of non-compliance
Failure to comply with the RGPD exposes companies to significant penalties: fines of up to €20 million or 4% of worldwide annual sales.
This underlines the importance of constant vigilance and rigorous compliance through regular testing and verification.
The five key principles of the RGPD
The Commission Nationale de l'Informatique et des Libertés(CNIL) defines five fundamental principles to ensure compliance with the RGPD:
1. Purpose: data must be collected for a precise, explicit and legitimate purpose. It must not be reused at a later date for another purpose.
2. Relevance: only data that is strictly necessary to achieve the objective pursued should be collected.
3. Limited retention period: personal data must only be kept for as long as is necessary for the purpose for which it was collected.
They must then be deleted, anonymized or archived in compliance with applicable legal requirements.
4. Security: the data controller must take all necessary technical and organizational measures to guarantee the integrity and confidentiality of data, preventing any unauthorized access by third parties.
5. People's rights: individuals must retain control over their personal data.
Each person has the following rights, which may be exercised with the data controller:
- Access to your data and the possibility of obtaining a copy,
- Rectification of inaccurate or incomplete data,
- Opposition to their use (except in the event of legal obligation, such as registration in a civil status file).
To whom does the RGPD apply?
The GDPR applies to a wide range of entities that process personal data, whether they are located in the European Union (EU) or not.
In other words, the Regulation has extraterritorial reach, meaning that it can apply to organizations located outside the EU if they process personal data of EU residents.
RGPD compliance is mandatory for:
Data controllers: organizations or individuals who determine the purposes and means of processing personal data.
Subcontractors: entities that process personal data on behalf of data controllers.
Data subjects: individuals whose personal data is collected and processed by an organization.
RGPD compliance checklist
1. Map and identify your personal data
The first step is to identify the data you collect and how it flows through your company:
- What data do you collect (names, e-mail addresses, IP addresses, telephone numbers, etc.)?
- Where are they stored (internal servers, cloud, third-party services)?
- Why do you collect them? Make sure every collection has a clear and legitimate purpose.
- Who has access? Restrict access to authorized people in your organization.
Tip: Keep a treatment register to document this information.
2. Check the legal basis for data processing
All data collection and processing must have a legal basis.
The right questions to ask :
- Have you obtained clear consent?
- Is it necessary for a contract? For example, to provide a service or deliver a product.
- Is there a legal obligation? Like keeping invoices or civil status files.
- Is it in your legitimate interest? Of course, this interest must not prejudice the rights of the persons concerned.
3. Make sure you obtain valid consent
Consent is at the heart of the RGPD. To be compliant:
- Use clear, simple forms, free of legal jargon.
- Provide an easily accessible option for refusing or withdrawing consent.
- Keep a record of all consents obtained, including date and context.
Example: If you're sending out newsletters, make sure you have a checkbox that isn't pre-ticked so that the user explicitly agrees.
4. Securing your personal data
Some essential measures when it comes to data security :
- Data encryption : Protect sensitive information with encryption.
- Access control: Only authorized persons should have access to data.
- Regular audits and tests: Perform security tests (penetration tests, audits) to detect vulnerabilities.
- Incident action plan: Prepare a clear procedure for reacting in the event of a data leak (notification to the CNIL and to the persons concerned).
5. Respect user rights
Data subjects have rights over their personal data, and it is your responsibility as a company to offer them simple and accessible ways of exercising these rights.
- Data access: Give users a way to access their information.
- Rectification and deletion: Allow them to correct or delete their data on request.
- Data portability: facilitate the transfer of their information in a clear, structured format.
- Opposition: Respect their refusal to use their data, particularly for marketing purposes.
Tip: Create a dedicated page or e-mail address where users can make their requests.
6. Audit your subcontractors and third-party services
If you use service providers to process data (host, CRM, marketing tools), make sure they also comply with the RGPD :
- Compliant contracts: Include clauses specifying your subcontractors' data protection obligations.
- Regular verification: Audit their practices to ensure compliance.
- Leak notification: Make sure they alert you quickly in the event of a data breach.
7. Implement a compliant cookie policy
If your site uses cookies, inform your users and obtain their consent:
- Add a clear consent banner with opt-in, opt-out and personalization options.
- Do not install any cookies until the user has given his explicit consent.
- Provide a link to your privacy policy for more details.
8. Update your privacy policies
Your privacy policy should be easily accessible (usually via a link in the footer of your site) and written in clear, understandable language.
It must include :
- Why you collect data.
- What types of data are collected.
- How they are used and protected.
- Users' rights and how to exercise them.
9. Analyze risks with an impact analysis (AIPD)
For high-risk processing (e.g. collection of sensitive data or large-scale surveillance), carry out a Data Protection Impact Assessment (DPIA):
- Identify risks to people's rights.
- Put measures in place to mitigate them.
- Consult the CNIL if the risks cannot be reduced.
10. Prepare an action plan in case of violation
No system is infallible. In the event of a data leak :
- Identify the source of the problem and block access to the data.
- Inform the CNIL within 72 hours.
- Notify users if their rights are threatened.
- Document the incident and reinforce your security measures.
Ensure your RGPD compliance with Mr Suricate !
Mr Suricate supports you in RGPD compliance by guaranteeing the security and reliability of your IT systems.
Thanks to our comprehensive range of tests, we can help you identify and correct potential faults in your system.
Our solutions are designed to help you comply with the key principles of the RGPD: purpose, relevance, retention period, data security and user rights.
Regain control of your applications by detecting bugs in real time on your websites, mobile applications and APIs. We reproduce user paths at regular intervals for continuous, high-performance monitoring.
