How to build and implement an eQMS: efficiency, compliance and data integrity – Replay

News

European Data Privacy Day – GDRP

All are aware of the protection of personal data

Illustration : European data privacy day - RGPD

Table of Contents

Saturday, January 28th, 2023, will be Data Privacy Day. Created in 2006 by the European Council, it aims to make users aware of the importance of protecting their personal data. For companies, it’s an opportunity to ensure that they are compliant with the law.

What is personal data ?

Personal data is all the information that identifies a person. A person can be identified in several ways:

  • Directly (name, first name)
  • Indirectly (examples: customer number, phone number, photo,…)
  • From a single data (examples: social security number, DNA)
  • From the crossing of several data (example: date of birth + address)

Article 4 of the GDPR defines personal data as follows:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal data vs. sensitive data

Often confused, sensitive data is a particular category of personal data. Sensitive data is particularly at risk and benefits from a reinforced legal protection regime. The GDPR prohibits the processing of sensitive data.

Article 9 of the GDPR defines sensitive data as revealing:

  • Racial or ethnic origin,
  • Political opinions,
  • Religious or philosophical beliefs,
  • Trade union membership,
  • The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
  • Data concerning health,
  • Data concerning a natural person’s sex life or sexual orientation.

What is the GDPR ?

The General Data Protection Regulation frames personal data processing on the European Union’s territory. Entered into force on May 25th, 2018, it harmonizes European rules. Its objective is twofold:

  • To protect and facilitate the rights of users
  • To make organizations that process personal data accountable.

Who is concerned about the GDPR ?

Any organization can be concerned, whatever its size, country of establishment, and activity. Indeed, the RGPD applies to any organization, public or private:

  • Established on the territory of the European Union,
  • Or that its activity directly targets European residents.

Non-European companies have the same obligations as long as they offer products or services to European residents.

Regulatory bodies

In France, the CNIL is the administrative authority enforcing the GDPR. Its European counterpart is the European Data Protection Committee (EDPS).

Roles of the CNIL

  • Inform individuals and professionals, and protect individual liberties,
  • To assist organizations in their compliance with the GDPR,
  • Anticipate the ethical challenges of data and innovate: the CNIL, alongside companies, participates in research in the field of privacy and personal data,
  • Controlling organizations.

Best pratices to comply with the GDRP

If personal data is not the core of your business, being compliant with the RGPD is quite simple. To do so, follow these best practices.
Source CNIL

Collect only the necessary data
The data you keep must be strictly necessary for your business. Do not collect any "sensitive" data. If it is not the case, it is the occasion to sort out your data!
Be transparent
Individuals must consent to the use of their data to use it. Therefore, it requires that they are clearly informed about the collection and use of their data. The GDPR requires that consent be "free, specific, informed, and unambiguous." The "default" consent is, therefore, not tolerated.
Make it easy for people to exercise their rights
Individuals (customers, service providers, employees, etc.) must retain control over the data that concerns them. Therefore, organize modalities allowing people to exercise their rights and respond as soon as possible to these requests. For subscribers to your email list, for example, provide an easily accessible unsubscribe and update form.
Set retention periods
You can't keep data indefinitely. You need to define the life cycle of the data. In most cases, there is no set rule for how long data should be kept. It is up to the company to define a relevant duration.
Secure data and identify risks
Server security should be a priority. Limit access and manage wifi networks; Use secure passwords; Perform regular updates and backups; Secure your websites; Secure your archives. Protect your data by replicating it. A recovery plan is required in the event of data loss. Ensure data confidentiality and integrity by encrypting data.

Control ans sanctions of the CNIL

The CNIL can check the proper compliance with the law with companies that process personal data.

  • Warning and Call to Order: This is not a sanction but a corrective measure.
  • An injunction under penalty: This is an order to comply with a sum to be paid in the event of non-compliance with the decision.
  • Sanction: A fine of up to 20 million euros or, for a company, up to 4% of worldwide turnover.

GAFAMs are not spared. In January 2022, the CNIL sanctioned GOOGLE with a 150 million euro fine and FACEBOOK with a 60 million fine for non-compliance with the cookie management rules. Indeed, their procedures do not allow users to refuse cookies as easily as to accept them.

Data security at GxpManager

The security of your data is part of the GxpManager platform’s DNA.

  • Our sovereign data center is located in France. We have chosen a European host to avoid exposing our clients to the legal and financial risks inherent to American companies, particularly those subject to extra-territorial laws such as the Cloud Act.
  • Updates, backups, restorations, and archiving are automated.
  • Your data is accessible online 24 hours a day.
  • A data encryption system ensures the integrity of your data.
  • Availability of your data: Provision of a disaster recovery plan (DRP) with very high availability and three redundant servers.