RGPD compliance guide: how to protect your users' personal data?

    By
    5 Minutes Read

    For a few years now, the RGPD has aroused a great deal of interest and raised many questions, and yet do you really know what it is? Because YES, this regulation concerns us all, whether we're users or professionals!

     

    What is the RGPD?

    According to economie.gouv, the General Data Protection Regulation (GDPR) is a European regulatory text that frames data processing equally throughout the European Union (EU).

    This text was put in place in response to the growing challenges posed by the digitization of our economy and the rise of all kinds of technologies.

    Objectives include:

    1. Privacy protection,
    2. Harmonizing data protection laws at European level,
    3. Adapting legislation to technological developments,
    4. Strengthening individual rights,
    5. Making companies and organizations more accountable.

    The last point is of particular interest to us, today any company or organization is able to retrieve and store data, but how do you achieve seamless RGPD compliance?

     

    The fundamentals of the RGPD :

    The Commission Nationale de l'Informatique et des Libertés (CNIL) has 5 principles: 

    THE PURPOSE

    The information we gather is for a specific reason, a purpose, and we don't use it for anything else afterwards. What we do with this data really depends on what we wanted to do with it in the first place. In the end, we just use it for what we originally intended, and no more.

    Let's imagine that a company's website collects personal information when a customer creates an account on the platform.

    Thepurpose of collecting this data is to enable the company to provide online sales services to its customers, such as order processing, product delivery and customer service.

    The company collects customers' personal data (name, address, e-mail address, telephone number, etc.) in order to facilitate transactions and offer a personalized online shopping experience.

    In this example, the company does not use customers' personal information for marketing activities without their explicit consent.

    image1

    PERTINENCE

    We only collect the information we really need to achieve our goal.

    The idea is not to get bogged down with tons of data. We just concentrate on what we really need to get things moving in the right direction: we sort it out!

    Suppose an e-commerce company launches a new home delivery service.

    The company's main objective is to collect the information needed to deliver the products ordered by its customers on time.

    To respect the principles of privacy protection, the company must limit the collection of data to that which is necessary for delivery. Consequently, it avoids collecting superfluous information such as :

    • Social security number,
    • His political views,
    • What he does with his Saturday afternoon.

    image2

    LIMITED SHELF LIFE

    The information we store must be identified and active for as long as we need it to achieve our goal.

    They are then destroyed, anonymized or archived, all in accordance with the legal rules governing the conservation of public archives.

    For example, CVs of candidates for a position in your company should not be kept for more than two years! 

    Candidates also have the right to ask for their information to be deleted, so a company must ask for their agreement if it wishes to keep their information for a longer period as part of a future post opening.

    image3-1

    SAFETY

    You need to do everything you can to keep your data secure and confidential, ensuring that no unauthorized person gets their hands on it.

    If you're a healthcare company managing your patients' electronic medical records, you're responsible for the security and confidentiality of your patients' sensitive health data.

    We're talking here about physical measures (locked premises, secure cabinets, etc.), logical and technical measures (firewalls, intrusion detection software, authentication systems), strict management of housing and access rights, and supervision of outsourced operations.

    image6

    PEOPLE'S RIGHTS

    The people whose data is used must remain in control. The law says that no one can collect their information without their knowledge.

    They need to know in advance why we're doing it, who's going to see their data and how they can say no if they want.

    These rights " Informatique et Libertés ", can be exercised with the community which holds this information are: 

    • The right to see their data and have a copy,
    • The right to correct errors,
    • The right to say no to the use of their data, unless it's for a legal reason, such as a civil registry for example. 

     

    What am I risking? 

    If, after an inspection or several complaints, the CNIL, or its president, can impose sanctions on data processors who fail to comply with these texts.

    Penalties can be as high as 20M euros or 4% of worldwide annual sales. 

    When non-compliance with the RGPD or the law is brought to its attention, the CNIL may :

    • Call to order,
    • Order treatment to be brought into compliance,
    • Temporarily or permanently limit a treatment,
    • Suspend data flows,
    • Order the fulfillment of people's rights,
    • Impose a fine. 

    image4

     

    6 benefits of RGPD compliance for your business :

    1. Strengthen your customers' trust :

    By complying with the RGPD, your company demonstrates its commitment to protecting its customers' privacy, boosting your customers' trust and improving their perception of your business

    2. Enhanced corporate reputation :

    A benefit that follows directly from the previous one is indeed the improvement of your reputation! A company that complies with RGPD standards is more likely to enjoy a better reputation, which can translate into a positive brand image and a competitive edge in the marketplace

    3. Optimizing internal processes :

    RGPD compliance means reviewing and optimizing your internal data collection, storage and processing processes. In addition to enabling RGPD compliance, this work can lead to improved operational efficiency and long-term cost savings. 

    image5

    4. Access to international markets :

    As specified in the introduction, the RGPD is a European regulatory text, but it's also a standard widely respected around the world, a RGPD-compliant company is better positioned to access international markets and establish partnerships with other companies.

    5. Enhancing safety :

    By implementing RGPD-compliant security measures, your company reduces the risk of cyberattacks and data breaches, protecting both your data as well as your customers' data

    6. Marketing effectiveness :

    By complying with the RGPD, your company can improve the quality of its customer databases, enabling more targeted and effective marketing campaigns, with clear and transparent consent from users for the processing of their personal data. 

     

    How to apply the RGPD rules with Mr Suricate ?

    Mr Suricate is here to ensure your company's compliance with the RGPD by maintaining security and reliability on your IT systems!

    Our comprehensive range of tests can help you identify and correct potential flaws in your system. All of our tests can be put at your service to ensure compliance with: purpose, relevance, retention period, data security and personal rights.

    Take control of your applications and detect bugs in real time on your websites, mobile apps and APIs by reproducing your user paths at regular intervals.

     

    Request a demo

     

    Picture of Mr Suricate

    Mr Suricate

    Author