On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.
The six steps are summarized below.
Step 1: Appointing a Data Protection Officer (“DPO”) or “Pilot”
The CNIL’s methodology first stresses the need for organizations to appoint a leader to pilot governance of data protection within their structure. This person will internally carry out informational, advisory and control tasks. Pending the application of the GDPR in 2018, the CNIL suggests that organizations may appoint a French DPO (Correspondant Informatique et Libertés) now. This will allow them to be one step ahead and better organized to comply with the upcoming GDPR. The CNIL strongly recommends appointing a DPO (with internal relays) who will be in charge of ensuring GDPR compliance, even if the organization is not required to appoint a DPO under the GDPR.
The first step will be completed once organizations have appointed a “pilot” responsible for implementing GDPR compliance measures based on an engagement letter, and have provided that person with human and financial means to perform his/her tasks.
Step 2: Data Mapping
For the second step, organizations are recommended to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of data processing activities. The CNIL’s methodology notes that, under the GDPR, organizations will have to keep full internal documentation of their data processing activities. The CNIL’s methodology proposes a template register.
Organizations may move to the third step if they:
- have contacted all the appropriate services and entities that process personal data within their structure;
- have established a list of their data processing activities per (main) purpose—not per system or application used—and of the types of personal data processed;
- have identified the vendors/data processors involved in each data processing activity; and
- know where the data is being transferred and to whom, where it is hosted and for how long it’s retained.
Step 3: Prioritizing Compliance Actions
After preparing the register in the second step, the CNIL’s methodology recommends identifying, for each data processing activity, the actions that will need to be implemented to comply with current and future data protection obligations. This prioritization must be carried out, taking into consideration the risks to the rights and freedoms of the data subjects.
The actions to be implemented will, at a minimum, include:
- ensuring that only personal data that is strictly necessary is collected and further processed;
- identifying the legal basis for the data processing;
- reviewing existing privacy notices to comply with the GDPR notice requirements;
- verifying that all vendors/data processors are aware of their new obligations and responsibilities under the GDPR and that appropriate privacy clauses are inserted in services agreements;
- defining a procedure for handling data subjects’ requests for exercising their data protection rights; and
- verifying the data security measures implemented.
The third step will be completed once organizations have implemented measures to protect data subjects concerned with their data processing activities and have identified those data processing activities that involve a privacy risk.
Step 4: Managing Risks
If, during the previous step, organizations have identified data processing activities that may pose high risks to the rights and freedoms of data subjects, they will need to carry out a privacy impact assessment (“PIA”) for each of these data processing activities. The CNIL’s methodology refers to the CNIL’s 2015 PIA guides as a tool to carry out PIAs under the GDPR.
The fourth step will be completed once organizations have implemented measures to respond to the main risks and threats to data subjects’ privacy.
Step 5: Organizing Internal Processes
Under the fifth step, organizations must implement internal procedures to guarantee data protection at any time, taking into account all events that may occur during the lifetime of a data processing activity (such as a data security breach, management of data subjects’ requests, changes to the data collected, change in vendors, etc.). In particular, this implies the following actions:
- taking into account data protection principles when designing an application or a data processing activity;
- increasing employee awareness and ensuring that information is escalated to relevant employees or directors, in particular by developing a training and communications plan;
- handling data subjects’ complaints and requests for exercising their data protection rights; and
- anticipating data security breaches by ensuring that, in some cases, the breach will be notified to the data protection authority within 72 hours, and without undue delay, to data subjects affected.
An online notification service will be available on the CNIL’s website in May 2018. Pending that service, organizations may consult, by way of example, the French data breach notification form used by telecommunications providers to notify their breaches.
Organizations may only move to the final step once (1) best practices for data protection are implemented by the services in charge of implementing data processing activities, and (2) personnel know what to do and whom to contact in the event of a data incident.
Step 6: Keeping Documentation on Compliance Measures
For the final step, organizations must compile and group all necessary documentation together. The actions and documents produced at each step must be regularly re-examined and updated to ensure continued data protection. In particular, this documentation will need to include:
- the register of data processing activities (for data controllers) or the categories of data processing activities (for data processors);
- PIAs for high risk data processing;
- data transfer mechanisms (e.g., EU Model Clauses, Binding Corporate Rules and certifications, where applicable);
- privacy notices;
- consent forms, as well as evidence that data subjects have given their consent where consent is the legal basis for the data processing;
- procedures implemented for the exercise of the data subjects’ data protection rights;
- contracts with vendors/data processors; and
- internal procedures in the event of a data breach.
The sixth step will be completed once the documentation demonstrates compliance with all of the GDPR obligations.
The CNIL will adapt and complete the above tools when relevant GDPR guidelines are published by the Article 29 Working Party.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code