Personal data and GDPR, What are the obligations of companies?
Since its entry into force on 25 May 2018, the General Data Protection Regulation (GDPR) gives you many advantages. It allows you to manage your personal data more easily, it also aims to strengthen their protection.
The GDPR therefore imposes new obligations on companies that collect and store your data.
We describe the 4 main ones.
1 – An obligation of suitable security
A company collecting personal data has a legal obligation to ensure its security. The protection measures put in place must be proportional to the degree of sensitivity of the data. They must also be proportionate to the importance of the consequences that their violation could have for the persons concerned.
If the organisation uses one or more subcontractors, it must also ensure that these subcontractors sufficiently guarantee the protection of the data transmitted to them.
2 – Restricted access to your personal data
Organisations are obliged to respect the principle of data minimisation. This means collecting only the personal data that is necessary to achieve the purpose for which it is collected.
They must therefore be satisfied with the strict minimum. They may not ask you for more information about you than they need for the stated purpose.
While companies must put in place technical measures to ensure the protection of your data, as mentioned above, this security must also include organisational measures. This can be done by limiting access to authorised persons who have a role in their processing, and by not keeping them beyond the necessary time limits.
3 – Frequent analysis
When an organisation wishes to set up a personal data processing operation that is likely to give rise to a high risk for the rights and freedoms of data subjects (e.g. involving sensitive data, vulnerable individuals, leading to evaluations, ratings, or establishing systematic surveillance), it must carry out a data protection impact assessment (DPIA).
This involves assessing all risks in the event of theft, loss, alteration or accidental deletion of data. The aim of this analysis is to put in place appropriate data protection measures in accordance with the GDPR.
This analysis must be updated regularly (at least every 3 years) in order to maintain a good level of security despite possible changes.
4 – Inform you and keep you informed about the management of your personal data
An organisation that receives a personal data piracy violation must notify the CNIL (Commission nationale de l’informatique et des libertés, a French administrative authority) within 72 hours. In the situation that the violation in question may lead to significant risks for the individuals whose data is impacted, the individuals must also be informed.
These new requirements prescribed by the GDPR ensure the protection of your personal data by imposing a certain level of security on organisations. But they also allow restricted access to this data, as well as a notification duty in the event of an incident, regardless of the measures put in place.
In addition to securing it, companies also have a duty to allow you to exercise your GDPR rights to manage your data. These rights are the right of access, the right of deletion, the right of rectification, the right of opposition…