GDPR Procedure

Design steering and governance structures

  • Appoint a DPO:
  • Inform and advise those responsible for processing
  • Referent company on the application of regulation
  • Regulation authority contact
  • Data Security Committee:
  • Studies new processing
  • Evaluates existing measures
  • Studies documentation
  • Reassesses risks and new measures to be adopted

Mapping processing

  • Identify and document:
  • The different types of personal data processing
  • The categories of personal data processed and where they are stored
  • The objectives pursued in data processing operations
  • The actors (internal or external) who process this data
  • Flows indicating the origin and destination of the data
  • Possible transfers of data outside the European Union.

Prioritise actions

  • Depending on the nature of the processing and the data consumed:
  • Ensure that only the data strictly necessary for attaining your objectives are collected and processed.
  • Identify the legal basis of processing (consent of the person, contract, legal obligation).
  • Revise the privacy notice.
  • Ensure the existence of contractual clauses recalling the obligations of the subcontractor with regard to security, confidentiality and protection of personal data processed.
  • Provide for the exercise of the rights of the persons concerned (right of access, rectification, right to portability, withdrawal of consent, etc.).
  • Verify the security measures in place.
  • Identify hazardous processing (nature of processing, nature of data, potential threats, etc.)

Manage risks

  • For each type of processing identified as hazardous:
  • Carry out an impact study (PIA)
  • For each type of processing identified as hazardous:
  • The "parts to protect"
  • The "potential impact"
  • The "media"

Organise internal processes

  • Define processes making it possible to:
  • Take into account the protection of personal data starting from the conception of an application or processing (privacy by design),
  • Confirm the role and responsibility of the actors involved in the implementation of data processing,
  • Raise awareness, train staff and organise feedback,
  • Deal with complaints and requests from individuals regarding the exercise of their rights,
  • Anticipate data breaches by providing notification to the regulatory authority and the persons concerned within 72 hours.

Document compliance

  • Document the processing of personal data
  • Document information on persons
  • Document contracts that define the roles and responsibilities of actors
  • Document the security measures implemented