The General Data Protection Regulation (GDPR), a European regulatory framework for the processing and circulation of personal data, came into force on 25 May 2018 and governs the way that EGERIE manages data that we may collect from you.
Article 32 specifies that the protection of personal data requires “appropriate technical and organizational measures to ensure a level of security adapted to the risk”. Such an approach allows for objective decision-making and the determination of measures that are strictly necessary and appropriate to the context.
Several key concepts outlined below will give you a better understanding of the scope of the regulation :
With the concept of “Accountability” the GDPR places data protection at the heart of corporate strategy and culture.
The subject can no longer be considered a mere digital one but raises the fundamental question of trust. It is also an opportunity to rethink, at the highest level, the economic models around the valuation of the data.
Article 24 of the GDPR – Accountability: “(…) the person in charge of the treatment implements appropriate organizational measures (…) to ensure and be able to demonstrate that the treatment is being carried out in accordance with this regulation. These measures are reviewed and updated if necessary. »
These measures include:
Faced with the scale and recurrence of actions to be carried out in more or less complex and decentralized environments, the DPO (Data Protection Officer translated into French by “Delegate for Data Protection”) must rely on operational tools to orchestrate the application, monitoring and verification of the rules governing the processing of personal data.
Article 39 Of the GDPR – Mission of the Data Protection Officer (DPO) :
« He advises the person in charge of treatment and monitors compliance with regulations, data protection regulations and the internal rules of the person in charge of processing or sub-treatment ».
Article 30 Of the GDPR – Register of Processing Activities :
« Each processing manager maintains a record of treatment activities that describes, among other things, the categories of personal data ».
Under the GDPR, companies need to put in place a risk management system. Impact analysis is an integral part of this system. It can detect risks to see if they are acceptable or not.
Article 35 of the GDPR – Data Protection Impact Analysis :
« The treatment manager must perform an impact assessment when a type of treatment is likely to pose a high risk to the rights and freedoms of individuals. »
In addition, the data protection impact analysis must “at least contain a description of the treatment and its purposes, an assessment of the need and proportionality of processing operations, an assessment of risks […] and the measures envisaged to address these risks and comply with the regulations”.