You are here

General Data Protection Regulation Increases Company Responsibility

Nathalie Devillier, professeure de droit, à Grenoble Ecole de Management
Published on
26 April 2018

The European General Data Protection Regulation (GDPR) is a guiding legal framework to manage personal data. The goal is to better protect the privacy of European internet users. As a result, there are important implications for companies. How should businesses prepare for this regulation which will come into effect on May 25th.

The GDPR was adopted in April 2016 and will be enforceable as of May 25th, 2018. It has three primary goals: (1) to reinforce the rights of citizens, both over and under 18 years of age, in relation to their control of personal data; (2) to increase the responsibility of data players, both companies and other intermediaries; (3) to increase regulations and sanctions in Europe.

Companies must prove their compliance

Companies will now be required to justify the ways in which they are complying with the GDPR. "Companies have to guarantee and prove that their use of data is compliant and secure at all times. In addition, this requirement is expanded to include all subcontractors and service provides working with the company," explains Nathalie Devillier,a professor of law at Grenoble Ecole de Management. In other words, every company and its subcontractors must be able to demonstrate a compliance process that is transparent and implements proper procedures to collect, store, use, share or destroy personal data.

7 tips from Nathalie Devillier

1 - Map all data and audit subcontractors

Companies and their subcontractors will both be responsible for treatment of personal data and the creation of a protection system. This means companies have to map their use of data and identify any partners that are involved in the collection and use of data.

2 - Train a Data Protection Officer (DPO) to replace the CIL (Correspondant informatique et libertés)

The GDPR encourages companies to hire a DPO. A DPO is required for public organizations, organizations that manipulate large scale data and organizations that collect sensitive data such as healthcare data or data related to background checks. The DPO is in charge of guiding an organization's compliance efforts. He or she will ensure that the company follows legal obligations and cooperates with the CNIL.

3 - Keep a record of data collection for the CNIL

Download here.

4 - Carry out an impact study

To help companies manage this change, the CNIL published a new version of its impact study software for privacy (PIA), as well as a case study on connected objects (sleep monitors).

5 - Ensure complete transparency in terms of data collection

Cookies, general terms and conditions, right to access data, right to erase data, right to transfer data, and profiling (e.g., massive data collection via Twitter, Facebook or Amazon). Companies must be transparent about their collection and use of data as well as security measures.

6 - Alert the CNIL if there is a breach of privacy for personal data

A company that is the victim of a security fault or a cyber attack must inform the CNIL within three days as well as the people affected by this breach if it presents a high risk to their freedom and rights. The same goes for a company's clients. To prevent data breaches, it is recommended that companies contact the ANSSI (French National Authority for the Security and Defense of Information Systems).

7 - If a company transfers data to a server in the USA, ensure the service provider has declared Privacy Shield complianc

To do so, simply check the official U.S. website and ensure that the company's status is OK.

On the same subject

  • Vers des notations financières responsables et durables
    Published on 14 September 2020

    Sustainability in credit ratings

    The importance of environmental and social governance (ESG) has grown rapidly over the past years. As a result, investor demand for ESG information has also grown. How are companies and credit ratings adapting to this evolution?

  • Cybersécurité. Prévenir plutôt que guérir !
    Published on 20 April 2020

    Cybersecurity: better safe than sorry!

    As telecommuting becomes a widespread practice during this health crisis, cybersecurity grows in importance for companies. And user awareness of these issues remains the primary factor to ensure security.

  • Est-ce la mort annoncée de la « fast fashion » ?
    Published on 20 January 2020

    Is “fast fashion” coming to an end?

    H&M, Zara, Forever 21, Gap, Bershka… Fast fashion brands are recognizable around the world. Despite representing 10-20% of the global fashion market, is this business model coming to an end?

  • Est-ce la mort annoncée de la « fast fashion » ?
    Published on 20 January 2020

    Fast fashion : la mort annoncée ?

    Le modèle économique low-cost, porté par quelques mastodontes du prêt-à-porter, s’essouffle-t-il au profit d’une mode plus « durable » ?

  • Published on 22 May 2019

    Climat mondial des affaires : récession en 2020 aux Etats-Unis ?

    Cet article est tiré de la dernière enquête Duke University–Grenoble École de Management qui mesure chaque trimestre, depuis plus de 20 ans, le climat des affaires tel qu’il est perçu par les responsables financiers des entreprises à travers le...

  • Michel Albouy, professeur de finance à GEM
    Published on 21 December 2018

    France implements an important change for its income tax

    On January 1, 2019, all French residents will begin paying income tax on a monthly basis. Discover the details of this change.

  • Les conditions licites de la cybersurveillance du salarié
    Published on 25 January 2018

    Workplace Cyber Surveillance: Rights and Obligations

    Can a business spy on its employees? Yes, within certain limits. Discover how European courts regulate workplace cyber surveillance.

  • Les conditions licites de la cybersurveillance du salarié
    Published on 25 January 2018

    Cybersurveillance : Quels droits et obligations pour l’employeur (et réciproquement) ?

    La Cour européenne des droits de l’homme impose des limites au contrôle des communications électroniques par l’employeur, qui reste régi par chaque Etat membre.