Privacy & Information Security Law Blog

On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.

The six steps are summarized below.

Step 1: Appointing a Data Protection Officer (“DPO”) or “Pilot”

The CNIL’s methodology first stresses the need for organizations to appoint a leader to pilot governance of data protection within their structure. This person will internally carry out informational, advisory and control tasks. Pending the application of the GDPR in 2018, the CNIL suggests that organizations may appoint a French DPO (Correspondant Informatique et Libertés) now. This will allow them to be one step ahead and better organized to comply with the upcoming GDPR. The CNIL strongly recommends appointing a DPO (with internal relays) who will be in charge of ensuring GDPR compliance, even if the organization is not required to appoint a DPO under the GDPR.

The first step will be completed once organizations have appointed a “pilot” responsible for implementing GDPR compliance measures based on an engagement letter, and have provided that person with human and financial means to perform his/her tasks.

Step 2: Data Mapping

For the second step, organizations are recommended to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of data processing activities. The CNIL’s methodology notes that, under the GDPR, organizations will have to keep full internal documentation of their data processing activities. The CNIL’s methodology proposes a template register.

Organizations may move to the third step if they:

• have contacted all the appropriate services and entities that process personal data within their structure;
• have established a list of their data processing activities per (main) purpose—not per system or application used—and of the types of personal data processed;
• have identified the vendors/data processors involved in each data processing activity; and
• know where the data is being transferred and to whom, where it is hosted and for how long it’s retained.

Step 3: Prioritizing Compliance Actions

After preparing the register in the second step, the CNIL’s methodology recommends identifying, for each data processing activity, the actions that will need to be implemented to comply with current and future data protection obligations. This prioritization must be carried out, taking into consideration the risks to the rights and freedoms of the data subjects.

The actions to be implemented will, at a minimum, include:

• ensuring that only personal data that is strictly necessary is collected and further processed;
• identifying the legal basis for the data processing;
• reviewing existing privacy notices to comply with the GDPR notice requirements;
• verifying that all vendors/data processors are aware of their new obligations and responsibilities under the GDPR and that appropriate privacy clauses are inserted in services agreements;
• defining a procedure for handling data subjects’ requests for exercising their data protection rights; and
• verifying the data security measures implemented.

The third step will be completed once organizations have implemented measures to protect data subjects concerned with their data processing activities and have identified those data processing activities that involve a privacy risk.

Step 4: Managing Risks

If, during the previous step, organizations have identified data processing activities that may pose high risks to the rights and freedoms of data subjects, they will need to carry out a privacy impact assessment (“PIA”) for each of these data processing activities. The CNIL’s methodology refers to the CNIL’s 2015 PIA guides as a tool to carry out PIAs under the GDPR.

The fourth step will be completed once organizations have implemented measures to respond to the main risks and threats to data subjects’ privacy.

Step 5: Organizing Internal Processes

Under the fifth step, organizations must implement internal procedures to guarantee data protection at any time, taking into account all events that may occur during the lifetime of a data processing activity (such as a data security breach, management of data subjects’ requests, changes to the data collected, change in vendors, etc.). In particular, this implies the following actions:

• taking into account data protection principles when designing an application or a data processing activity;
• increasing employee awareness and ensuring that information is escalated to relevant employees or directors, in particular by developing a training and communications plan;
• handling data subjects’ complaints and requests for exercising their data protection rights; and
• anticipating data security breaches by ensuring that, in some cases, the breach will be notified to the data protection authority within 72 hours, and without undue delay, to data subjects affected.

An online notification service will be available on the CNIL’s website in May 2018. Pending that service, organizations may consult, by way of example, the French data breach notification form used by telecommunications providers to notify their breaches.

Organizations may only move to the final step once (1) best practices for data protection are implemented by the services in charge of implementing data processing activities, and (2) personnel know what to do and whom to contact in the event of a data incident.

Step 6: Keeping Documentation on Compliance Measures

For the final step, organizations must compile and group all necessary documentation together. The actions and documents produced at each step must be regularly re-examined and updated to ensure continued data protection. In particular, this documentation will need to include:

• the register of data processing activities (for data controllers) or the categories of data processing activities (for data processors);
• PIAs for high risk data processing;
• data transfer mechanisms (e.g., EU Model Clauses, Binding Corporate Rules and certifications, where applicable);
• privacy notices;
• consent forms, as well as evidence that data subjects have given their consent where consent is the legal basis for the data processing;
• procedures implemented for the exercise of the data subjects’ data protection rights;
• contracts with vendors/data processors; and
• internal procedures in the event of a data breach.

The sixth step will be completed once the documentation demonstrates compliance with all of the GDPR obligations.

The CNIL will adapt and complete the above tools when relevant GDPR guidelines are published by the Article 29 Working Party.