GDPR and data processing: the main points to remember
GDPR and data processing: the main points to remember
The General Data Protection Regulation (GDPR) is the European regulation aimed at strengthening the protection of personal data. The GDPR regulates the processing of personal data within the territory of the European Union.
The main objective is to "harmonize the protection […] of natural persons with regard to the processing activities and [to] ensure the free flow of personal data between member states". This has a direct impact on companies processing personal data as well as on customers who regain control over their data.
For companies, applying this regulation pushes them to be transparent with their clients about the use of collected data, adopt a new data protection policy, and review roles internally.
The text has three objectives: consolidate the rights of natural persons, strengthen the powers of European authorities, and hold companies that process personal data accountable.
The DPO, or Data Protection Officer
The DPO is at the heart of the European regulation, which has been the applicable legal framework since May 2018 throughout the European Union. Companies and institutions required to process personal data on a large scale consult a Data Protection Officer (a personal data protection delegate) whose main mission is to ensure that their employer or client complies with the law when using the collected data for commercial or internal purposes (HR software). They must therefore have a 360° view of the use of personal data, a cross-functional role that leads them to work with all departments of a company (management, marketing, development, or human resources).
To do this, the DPO must be involved from the project's launch, map personal data, and processing processes while recommending an appropriate security and confidentiality policy. To never be unclear and risk non-compliance, the DPO must periodically control the company's (or their client's) compliance regarding the use of personal data by engaging in impact analysis, risk assessments, and intrusion actions to alert the interested party of a possible breach of the GDPR.
Playing the transparency card
When it comes to the collection and processing of personal data, it means total transparency! Companies are required to explicitly inform individuals of the use made of their data, which they can refuse. Additionally, institutions must also inform consumers of any breaches or theft of this data when such violations are likely to pose a significant risk to the rights and freedoms of natural persons so they can take appropriate precautions.
Accountability, a fundamental principle of the European pact, refers to the obligation for companies to implement mechanisms and internal procedures to demonstrate compliance with rules regarding data protection, by providing detailed documentation.
The protection of personal data
Moreover, companies are prohibited from transferring the personal data of a European citizen outside of Europe, thus forcing them not to use the services of foreign companies (American, Asian, etc.). This applies regardless of whether the company is established in Europe or not, as the GDPR concerns all companies processing the personal data of European citizens operating in this market. To ensure that this concept of data protection is respected, actors must natively integrate security standards established throughout the data lifecycle into solutions, applications (CRM, ERP, MDM…), and cloud service providers.
The real right to be forgotten
The right to erasure of personal data of an individual is possible. They can contact the company requesting to deactivate and/or permanently delete their data. At that point, the company has no choice but to execute the request within 30 days. Some actors perceive this change as a threat to their operations, thus permanently losing their users' data. In reality, what needs to be understood here is that the client is placed at the center of the thought process regarding privacy protection, and by respecting the consumer's choice, the company maintains the trust established beforehand. Yes, because welcoming a client generally means hoping to retain them and build a long-lasting relationship based on mutual trust. And protecting clients' data strongly contributes to that trust.
The portability of data
The GDPR requires companies to provide individuals who request it with their personal data in a structured and readable format. With the right to data portability, users can request to retrieve the data provided to a platform for personal use or to transmit it to a third party. This new right aims to strengthen control over personal data.
Of course, this regulation is framed by sanctions. We note several levels:
Low: Warning.
High: Depending on the articles of the regulation that are not complied with, administrative fines range from €10 to 20,000,000 or from 2 to 4% of global annual turnover.
Despite the very strict nature of the provisions of the GDPR, which may give a negative image of personal data protection, we believe that the existence of such a unified framework represents a real opportunity for European companies to differentiate themselves in global competition by emphasizing a constant concern for protecting the interests of consumers and citizens. It also enhances their clients' trust and adds value to the quality of data. We no longer talk about "Big Data" but about "Smart Data".
ViaDialog, GDPR Compliant
In this light, data protection is a critical axis for ViaDialog. We place extreme importance on the protection and confidentiality of our clients' and users' information. Indeed, the requirements of the GDPR are essential for us, and our team continuously adjusts our contractual commitments so that our clients can comply with the regulations in force.
ViaDialog is the only French actor to offer the entire spectrum of technological factors and maintain research, development, and maintenance in France.
