What is the operational impact of the GDPR on the processing of personal data by startups?
GDPR impacts startups as much as larger companies. What should they focus on?
On May 25, 2018, the General Data Protection Regulation (GDPR) will apply to all personal data processing within the European Union.
It will concern all businesses, regardless of size.
The GDPR has a double impact on your activities:
The sanctions, in case of non-compliance with the RGPD, are substantial in all cases:
The GDPR strengthens the rights of individuals whose personal data is collected.
The principles put in place are as follows:
These principles involve the implementation of specific technical procedures: acceptance by check boxes, anonymization, pseudonymization, encryption, logs, security processes.
The persons concerned must also be fully informed of the data collected, the purposes of the treatments and the procedures put in place. They must also be able to obtain from the data controller to modify the data, delete them, transmit or inform them about the personal data they hold about them, within one (1) month from the date of their request. Anyone can also object to the processing of their data at any time.
The rights granted are therefore extensive and must be reflected in your contractual documents (CGV/CGU in particular) and internal procedures.
While the rights granted to individuals are extended, they remain an extension of existing regulations.
On the other hand, businesses are now subject to transformed and much greater obligations.
The prior declaration is no longer necessary, as each data controller must guarantee compliance with the RGPD for all processing of personal data.
It is necessary, within each company with more than 250 employees, to maintain a register of processing carried out. Businesses with less than 250 employees should only keep a record of sensitive treatments or if the treatment is regular. However, all businesses are strongly advised to keep a record of the entirety of their processing. The CNIL provides a register template that it is recommended to use: https://www.cnil.fr/sites/default/files/atoms/files/registre-reglement-publie.xlsx
Any processing of sensitive data (health, political, ethnic, ethnic, religious, sexual data) or data that includes profiling must also be subject to a impact analysis. It is also recommended, although not mandatory, for all processing of personal data. The CNIL has made software available to the public that guides this analysis: https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil
Companies are also invited to appoint a Data Protection Officer (DPO), who coordinates internal processing, and relationships with the CNIL in the event of an audit. This is mandatory if the company processes personal data on a regular and systematic basis, or if it processes sensitive data. The DPO can be internal to the company or a specific service provider.
Various technical and administrative procedures must also be put in place:
It is also important to ensure that your contracts with your subcontractors provide for a distribution of roles and responsibilities in terms of personal data, and in particular that your partners offer the necessary guarantees of compliance with the GDPR.
It is therefore necessary to take stock of your internal procedures and to adapt them prior to May 25, 2018.
The CNIL will have strengthened powers and resources to verify the compliance of companies with GDPR, as of this date.
Do not hesitate to contact us if you wish to be assisted.
What classes, and products/services should be included in a trademark for a mobile application?
The transfer clause in SaaS agremeent is a trap: a customer should not be able to prohibit an important operation for the SaaS company. How should it be drafted?
Let's build together to grow your business
I have been supporting software and SaaS companies for more than 10 years, to structure their business, protect their intellectual property and improve their contracts.
