QimTech

For several years now, you’ve probably noticed that a new legal term has been mentioned time and again in the IT sector – GDPR. But what is it? What does it apply to and who is impacted by it? In this article, we highlight the main aspects of this reference text on personal data protection in Europe.

Summary

Introduction to GDPR

Definition of GDPR

The General Data Protection Regulation, known as the GDPR, is a European Union regulation aimed at strengthening and unifying the protection of personal data within EU member countries.
This legal act came into force in 2018 and since then has been a mandatory provision for every organization – whether private companies or public administrations established in the European Union, or which proceed to process personal data of an EU resident.

The main objectives of GDPR

We can establish two distinct objectives when it comes to GDPR: the strengthening and the unification of personal data protection.

  • Strengthening is already underway, because in addition to recalling that the protection of one’s personal data is a fundamental right in the European Union, the GDPR establishes a strict legal framework to guarantee this protection. This guarantees EU residents a specific set of rights in relation to their personal data, as well as a set of obligations to which the organisations involved in processing this data have to adhere.
  • Unification is also important since the aim behind the European Union’s adoption of the GDPR was to harmonise the data protection legal framework between the EU’s twenty-seven member states without the latter needing to transpose the law into their national law. As such, GDPR applies uniformly throughout the European Union.

The fundamental principles of GDPR

With the aims behind GDPR now explained, let’s dive into the details… What is included in this law? There are many rules relating to data protection, but here is a summary of the main aspects that make up GDPR.

Legality, loyalty and transparency

All processing of personal data must be lawful and fair. So what does this mean? This implies that such processing is only possible if it satisfies one of the following conditions:

  • The individual has consented to the processing of his or her personal data for a set of clearly stated purposes. Personal data is processed simply because the person concerned by the data has given his or her consent. However, this consent is only valid for those purposes that have been clearly stated to the individual.
  • Data processing is necessary to perform a service to which the individual has subscribed. When we expect an organisation to provide us with a service, it may require the processing of our personal data. Obviously, this processing must be related to the service provided.
  • Data processing is necessary to comply with a legal obligation to which the data controller is subject. The organisation may need to comply with a request for personal data that has been made by the competent authorities. These legal obligations vary from country to country.

There are other possible conditions for lawful processing, in particular if the processing is necessary to safeguard vital interests. But these are very specific cases and the majority of cases in which processing is lawful will fall under one of the three conditions set out above.

Whatever the reason for the processing, the data subject must always have the option to be informed of the nature of the data being processed and the purpose of the processing that is to be carried out. This right must enable him or her to have access, within a reasonable timeframe, to the information pertaining to his or her personal data and that information must be in a clear, easy to understand format and communicated in writing. This is the principle of fairness and transparency.

If personal data is collected with the aim of being processed, not only must the person holding the data have access to the purposes of the processing, but these purposes must also be clearly defined. It is not possible to collect data and then tell the individual that it will be used for “a number of purposes that are necessary for the proper functioning of the service”. In fact, the list of purposes must be clearly established from the outset and if there are to be any changes to these purposes, the individual must be informed and must consent to these changes.

The principle is simple: an organisation that holds personal data and is responsible for processing it, or one of its subcontractors is responsible, may only hold the data it needs for its own purpose(s).

For example, if a cooking recipe website wishes to collect data from its users in order to offer them the recipes most likely to appeal to them, they will be entitled to collect information about their users’ culinary tastes. On the other hand, they will not be able, for example, to collect data relating to the colour of their hair, as this data does not serve the purpose of the processing.

This principle is explained in its title: the data processed must be accurate and kept up-to-date. The organisation responsible for data processing must be able to guarantee its accuracy. This guarantee can be implemented by allowing the person holding the data to rectify it at any time. This possibility of rectification is in fact a right for individuals that is defined in the GDPR.

In order to be sure that the data is accurate, the organisation holding the data can assess its reliability according to the means used to collect it: is it a response to a form filled in by the user in person, or an automatic process based on his or her browsing habits? The guarantee regarding the accuracy of the resulting data will not be the same in each case.

A third-party organisation has the right to hold personal data, but it cannot store the data indefinitely. In fact, a limited period of data retention must be established. This period must be the shortest duration possible in order to enable the organisation to achieve the purpose for which the data is processed. If an extension of the retention period is necessary, the informed consent of the data subject must be obtained.

This brings us to the final principle that forms the basis of all secure data: it must be both complete and confidential. It is the responsibility of the organisation holding the personal data to ensure that it cannot be disseminated without the consent of data subjects, nor altered by third parties. Compliance with this principle is a matter for cybersecurity solutions; it represents a major challenge for companies, both in terms of compliance with the legal framework and their credibility in the eyes of the public.

We have now come full circle to the main principles that constitute GDPR. Compliance with these principles are legal obligations that are incumbent on organisations that hold personal data. Failure to comply with them exposes the organisation to various sanctions, as explained below. For the moment, we will take a look at various possible measures that can be implemented by organisations to guarantee the security of the personal data they hold.

Data security measures

The security of data stored by an organisation is its responsibility. Faced with the risks of data leakage and illegitimate alteration of data, it is important to put in place appropriate measures to protect the data from threats.

Risk assessment

What kind of personal data does my organisation hold? What are the risks to data subjects in the event of a leak? And the risks in the event of alteration of data? These are just some of the questions that holders of personal data need to be able to answer in order to implement appropriate security measures.

If the organisation’s activities are likely to have a significant impact on privacy, a detailed risk assessment must be carried out. This is known as a Data Protection Impact Assessment (DPIA), a point to which we’ll return later. If this study reveals that there is a high risk to individual privacy in the event of a failure in data protection measures, the organisation must commit to implementing a series of measures to reduce the risk incurred.

Implementing technical and organisational measures

In order to implement data security measures, a set of measures must be put in place by the organisations that are responsible for data processing.

Among the more technical solutions that can be employed, we have a variety of technologies and practices designed to protect data against threats and vulnerabilities. These are intrinsically linked to digital security in general, such as the use of anti-virus software or firewalls on terminals accessing data, or even data anonymisation and encryption, details of which are set out below.

On the other hand, organisational measures concern the internal policies and procedures put in place to ensure proper management of personal data. These include regular staff training on good data protection practices, the performance of privacy impact assessments (PIAs) and the implementation of robust privacy policies. Organisations must also appoint a Data Protection Officer (DPO) to oversee GDPR compliance. These measures might even represent a legal obligation for some organisations.

Data anonymisation and encryption

To reduce the risk to personal data, GDPR recommends that organisations responsible for processing use data anonymisation solutions. Anonymisation (or pseudonymisation as it is known in the texts of the GDPR) is a technique that ensures there is not a link between an individual’s personal data and his or her identity. This solution is possible if the processing consists of a general analysis of the data and is not carried out nominatively on the data of a specific individual.

Obviously, this solution just guarantees anonymity for individuals and not data confidentiality. The GDPR clearly states that this measure does not exclude the implementation of other data protection measures such as encryption, which can guarantee data confidentiality in the event of a leak. A solution such as this would prevent the data from being read by a third party if the latter does not have the key. In this instance again, however, it is important to ensure that the key is not leaked.

Access and identity management

Access management aims to ensure that only authorised persons can access personal data, thereby minimising the risk of confidentiality breaches. This involves implementing strict controls to determine who can access which data and under what conditions. These controls include two-factor authentication (2FA), which strengthens security by requiring a second proof of identity in addition to the password. Single sign-on (SSO) is also commonly used to simplify access procedures, while ensuring a high level of security is maintained.

Identity management, on the other hand, involves administering user credentials throughout their lifecycle within the organisation. The starting point is to create identities when new employees are onboarded, through to the management of roles and permissions as positions and roles change, right up to the point at which accounts are deactivated when they leave the company. Rigorous identity management ensures that each user only has the access they need to carry out their tasks. This is in line with the principle of least privilege, which dictates that each user should only have the minimum access privileges they require to carry out their tasks.

Monitoring and auditing

Monitoring involves the active tracking of data handling processes to detect any anomalies that might indicate a data breach. This includes the use of network and application monitoring systems. These tools enable early detection of unauthorised access attempts and real-time reactions to prevent security incidents.

In parallel, regular audits of data management systems and procedures are necessary to assess compliance with the RGPD.
These audits can be carried out internally by the organization itself, or externally, conducted by independent third parties.
The aim is to verify that the technical and organizational measures put in place are adequate and comply with the legislation.

Audits can cover several aspects, including the effectiveness of data protection policies, access and identity management, IT infrastructure security, and employee awareness and training.

The rights of data subjects

The individuals affected by the personal data that is being processed have a number of rights guaranteed under GDPR.

The right to information

The individual has the right to inspect the way in which his or her personal data is collected, how it is processed and for what purpose. If he or she explicitly requests access to this information from the organisation that is holding his or her personal data, this request must be met in writing within a reasonable timeframe. In addition, the individual must be informed of all the rights he or she has with regard to the organisation that processes his or her data.

Based on the same principle as the right to information, the right of access enables an individual whose personal data is held by a third-party organisation to make a request to that organisation that they provide access to all data relating to them. As with the right to information, this request must be simple to formulate and it must be met within a reasonable timeframe.

If the personal data currently held by the organisation proves to be inaccurate or incomplete, the data subject may require the organisation to rectify the data as soon as possible. This right is linked to a fundamental principle of the GDPR, which requires processed data to be accurate. A good way to achieve this is for the data subject to directly rectify the data.

The definitive deletion of personal data by the organisation that is holding it must be performed if one of the following reasons requires it:

  • The data is no longer necessary for the organisation’s stated purpose. In this instance, and in accordance with the principle of data minimisation, the organisation should only keep the data it needs for processing. All other data must be deleted.
  • The individual withdraws the consent for the processing of their data and it was this consent that initially allowed the organisation to collect the data. If the data was collected because the data subject had provided consent, the data must be deleted as soon as the data subject withdraws their consent.
  • The individual objects to the organisation’s planned processing of his or her data. The principle of transparency requires the organisation to indicate what processing will be carried out and for what purpose(s). If the individual disagrees with the processing that has been planned, they are able to object to the performance of the processing and request that their data be deleted.
  • The individual’s personal data has been processed illegitimately. Is it possible that the data has not been collected for a legitimate reason, such as the consent of the data subject or the performance of a subscribed service? Or has processing been carried out on this data that is not legally permitted? In these cases, the data must be deleted so that the organisation holding it can get back on track.
  • Personal data must be deleted to comply with a legal obligation applicable to the organisation. These legal obligations may vary depending on the legislation in force, but if the organisation holding the data has to delete it to comply with the law, it must obviously do so.

As you will see, this right to have personal data deleted, while it exists, is not an absolute right and specific criteria must be adhered to. In fact, most private organisations handling personal data have the right to do so thanks to the consent obtained from users, or because they provide a service to which the user has subscribed. Users can therefore easily demand that their data be deleted if they so wish.

If an individual is of the opinion that the processing of his or her personal data is not lawful, he or she may request that the processing be restricted until the conditions for lawful processing have been met.

An example of this would be an individual who disputes the accuracy of their personal data and requests that processing be restricted until such time as the data controller can verify the accuracy of the data.

This right can be seen as an alternative to the outright deletion of personal data; for example, this would mean that a service to which the individual has subscribed with the organisation holding the data would not need to be terminated.

In some instances, the individual may ask an organisation holding his or her personal data to automatically share it with another organisation in a structured format so that the other organisation can process it. However, this right may not apply if the organisation holding the data then retains it as part of a service subscribed to by the individual.

Company obligations

The rights that individuals have with regard to their personal data are important. But that’s not the end of it! Organisations that hold personal data are subject to their own obligations.

Appointing a Data Protection Officer (DPO)

The appointment of a Data Protection Officer (DPO ) within an organisation that is processing any personal data is mandatory if the data processed or the purpose for data processing is of a sensitive nature for the data subjects (such as medical data) or if the relevant organisation is a public entity. The DPO’s duties include:

  • Inform their organisation about its data protection obligations;
  • Ensure compliance with the organisation’s obligations;
  • Advise their organisation on the best governance to apply in terms of data protection;
  • Act as an intermediary between the organisation and the regulatory authorities.

As part of his mission, the DPO must be involved in all decisions concerning the processing of personal data.
You will therefore understand that the DPO acts as a bulwark against any abuses that may occur within an organization holding sensitive data. On its website, the CNIL provides a range of resources to help DPOs carry out their mission.

Keeping a register of processing activities

The processing of personal data must be recorded in a structured register listing the nature of the processing carried out, the categories of individuals whose personal data has been processed and the purpose of the processing. This register can then be provided to the supervisory authorities upon request.

The aim of keeping such a register is to be able to check the compliance of processing operations after the fact. The supervisory authorities will then be in a position to detect any infringements and, if necessary, apply the appropriate penalties.

Notification of a data breach

If, despite all the measures put in place to guarantee data protection, it is or has been compromised, the organisation that has been exposed to the data breach is required to notify the regulatory authorities as soon as possible. Included in this notification is a description of the nature of the personal data breach, the consequences of the breach and the measures put in place to mitigate the negative impact of the breach. Once notified, the regulatory authorities can advise the organisation on the best course of action.

Data Protection Impact Assessment (DPIA)

The data controller within the organisation must carry out a Data Protection Impact Assessment (DPIA). The purpose of this audit will be to specify the nature and purpose of the sensitive processing, to study the necessity of such processing in view of the purpose, to assess the risks to the rights and freedoms of the data subjects and to look at implementing measures and safeguards to address the risks in question. It can be carried out in collaboration with the organisation’s DPO, if one has been appointed.

Penalties for non-compliance

It is clear that there are many requirements relating to GDPR and like any legal regulation, sanctions will be incurred in the event of non-compliance. These sanctions are intended to be “effective, proportionate and dissuasive”.  

The base penalty

The base penalty is an administrative fine of up to ten million euros or, if the offending organisation is a company, up to 2% of its worldwide annual sales.

This sanction applies if the breaches relate to a failure to comply with data security requirements, a failure to implement data anonymisation where possible, or the absence of a data protection officer where one is required.

The heaviest penalty

For more serious offences, the amount of the penalty is doubled that of the base penalty: twenty million euros or 4% of worldwide annual sales for companies.

Infringements that could lead to such a sanction include: failure to comply with the principle of lawful and consented processing; use of manifestly inaccurate data; retention of data for longer than necessary; failure to respect the rights of data subjects with regard to their personal data.

Other penalties

Other penalties may be imposed for infringements that are not mentioned above. These sanctions are determined by the various members of the European Union and relate to specific national territories.

Examples of penalties applied

For these examples, we’ll focus on France and its regulatory authority, the CNIL, which has the power to determine whether or not there has been a fault.

In May 2023, a company that puts patients in touch with medical practitioners was declared at fault by the CNIL for several breaches of GDPR. These included the failure to obtain consent for the processing of data from users who filled out a form (thereby providing information about their health). They were also at fault for retaining data for longer than was necessary with regard to the purpose for which the data was to be processed, as well as shortcomings in the data encryption system. For these faults, the company was fined €280,000 by the CNIL.

To cite another example, let’s look at the case of a company that provided targeted adverts online. This company did not properly respect the rights of several individuals whose data they held. These included the right of access to stored data: when an individual tried to obtain the data the company held about them, the data provided was only partial. In addition, consent to data processing was sometimes not obtained from the company’s partners. Finally, the purpose of processing was only defined in vague and broad terms, which also represented a breach of the GDPR. For these and other breaches, the company was fined €40 million. This is one of the largest fines ever handed down by the CNIL.

You may also be interested in these articles...