GDPR and Henner Group

WHAT ? 

GDPR is the new European data privacy regulation for the residents in the European Union. The regulation standardises data privacy in the European Union.

WHEN ?

From May 25th 2018, companies not compliant with GDPR requirements will incur sanctions.
gdpr

The Law called Informatique et Libertés was voted on January 6th, 1978. The law was subsequently amended several times.

Organisations can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR.

GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by government, which means it will be in force in May 2018.

WHO ?

GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

WHY ?

Rapid technological developments and globalisation have brought new challenges for the protection of personal data.
These challenges include:
  • – Increasing Individual Rights;
  • – Empowering the business and the organisations processing and holding the personal data;
  • – Communicating privacy information.
Conseil_bleu plein

Step 1
Establishing Project Team members

Henner appointed a Data Protection Officer (DPO) in charge of data protection compliance and assess where this role will sit within our organisation’s structure and governance arrangements
Feuille_bleu plein
Step 2
Map of personnal data
Draft a record processing of activities :
– Inventory of processing personal data;
– Personal data classification;
– Description of the categories of data subjects;
– Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
Sablier_bleu plein
Step 3
Road Map
Based on the GDPR’s requirements :
– Identify risks;
– Prioritise the level of risk with regards to the rights and freedoms of natural persons.
Attention_bleu-plein-113x300
Step 4
Protection of the rights and freedoms of natural persons against risks
– Compliance assessment of data processing;
– Establishing data protection impact assessment;
– Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk between the controller and the processor.
Reseau_3_bleu plein
Step 5
Organisation of internal processes
– Reinforcement of awareness-raising and training of staff involved in processing operations;
– Reinforcement of the right to access, to rectification, to erasure and data portability procedures;
– Implementation of policy for the personal data breach to protect the rights and freedoms of natural persons.
6-Conformité
Step 6
Formalization of compliance’s procedures
Keeping continued of compliance internal documentation coming from regulation.

The 5 key GDPR requirements

DPO (Data Protection Officer)

To ensure compliance and to be the contact point between the supervisory authorities and the firm.

The DPO must be associated with the different issues and these issues must be related to the protection of personal data.

Security by default 

This is the way to strengthen the security of the information system. The company must be able to detect the failures and fix them.

Privacy by design 

From the product’s design to the information system, the protection of personal data has to be considered.

Accountability

The controller or processor should take the necessary measures to ensure compliance with data protection.These measures would be required by the authoriteis.

Privacy Impact Assessment 

For the new processing it is necessary to establish a Privacy Impact Assessment. For processing operations which are likely to result in a high risk to the rights and freedoms of natural persons the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.

You can consult our commitments regarding the protection of personal data by clicking here.