BLOG/The tools that make you take risks with the GDPR/

The tools that make you take risks with the GDPR

Entered into force in May 2018, the General Data Protection Regulation regulates the processing and circulation of personal data. In a context of multiplication of digital services and tools, this new framework is necessary to protect the sensitive information of individuals. Any entity collecting data in the European Union must comply with the GDPR to the letter, under penalty of fines and penalties of up to 20 million euros and 4% of the company's turnover.

Did you know that a number of the tools you use on a daily basis internally as part of the relationship with your customers and prospects make you take risks with the RGPD? What are these tangible and intangible tools whose use should be closely checked to ensure compliance with the GDPR?

Your computer and your corporate phone

Compliance with the GDPR begins with the tools you use at your workplace. It is your responsibility to educate employees on the issues of potential theft or loss of material, and to ensure the complex encryption of fixed and nomadic stations to avoid data leakage. Thus, it is necessary to set up multifactorial identifiers to connect to a position or a session. In case of flight or theft, a report to the CNIL is mandatory within 72 hours.

Your internal files

Any entity must inform its employees that it processes their personal data. Thus, the identity of the person in charge of personal data in the company must be provided to them. Employees must be informed of how their data is used and by whom, and how long the information about them is kept. Only the people in charge of the administrative management of the entity and in charge of human resources can access this data within the company. When an employee leaves the company, you do not have permission to keep his data sine die. The deadline is five years to keep pay slips. It should be noted that employee consent is implicit in the processing of their personal data in the context of payroll management, the employment contract and the control of their activity.

Your client files

"Should I burn my client file? Asked the Échos reporter in a provocative way in 2018, when the GDPR came into effect. If the answer is thankfully no, you should be cautious and rigorous in their compliance and be prepared to erase a certain amount of data that you have been keeping for too long. It's going to be getting the consent of people who have never given it to you explicitly. If you can do without consent in principle, for those of your customers working in a professional sector closely related to the services you offer (we speak of "qualified" file), it is always better to ask. After 3 years, delete the information from your "silent" customers. If you market services, let them know how their data will be used. It would be a good idea to insert a paragraph "Data protection", clear and understandable, in your general conditions of sale.

Your emailing tools and newsletter

Do you have a habit or wish to contact prospects and customers by mail? To comply with the GDPR you must have previously obtained their clear consent - silence or no response is not considered as a clear consent. Recommended, the "double opt-in" allows to ratify the agreement to the extent that your contacts agree twice to receive your news. Moreover, in case of control you must keep the proof of the agreement given by your customers and prospects. In all your email campaign links, you must provide the opportunity for your users to unsubscribe. Finally, it is about informing, to allow your contacts to assert their rights.

Your website

Any entity needs visibility and exists on the internet . Make sure that your website is compliant when it is created or when it is redesigned. This is and necessarily, even for a minimal showcase website to include the legal notice to identify the publisher of your website, and to obtain the consent of Internet users to be traced, if your site analyzes their navigation and their modes of consultation and navigation. In the case of a commercial site, the obligations are more numerous and you must make sure to secure all pages of your site according to the https protocol.

Your cloud

Cloud computing is considered by the GDPR as an act of "outsourcing". You must be able to indicate if the personal data processed are transferred to another country, and if so, which one. In this second case, your subcontractor - the entity making available its "cloud" - must be able to demonstrate that appropriate safeguards have been implemented in accordance with the GDPR. Precautions must be taken when choosing your cloud.

Video surveillance at your premises

Especially in large and large corporations and for entities producing financial services or working on high-tech topics, video systems -surveillance are often installed in the premises. To respect the recommendations of the CNIL and the GDPR, we must be careful not to film employees in certain situations. Thus, it is not allowed to film employees at their workstation unless they handle money. The premises intended for the break, the toilets, as well as the trade union premises will have to be expurgated from their video-surveillance system. In addition, it is the responsibility of the employer to inform employees and potential visitors of the presence of cameras in the workplace, as well as the storage life of the filmed images, and the possibility of submitting a complaint to the company. CNIL.

Many everyday tools are therefore sensitive. It is up to business leaders to be very scrupulous in this regard, and to ensure the information, awareness, data protection of both their employees and their customers and prospects. This has the consequence of updating and, if necessary, redesigning your digital tools and part of the information system. On the other hand, it is important to ensure the compliance of the platforms and tools used in subcontracting. This is not always obvious. A SaaS solution (Software as a Service) for automation and management of administrative tasks like alf has the advantage designed according to a "GDPR by design" and follows the recommendations of the CNIL.