The European regulation No. 2016/679 of 27 April 2016, or General Data Protection Regulation ("GDPR"), will enter into force on 25 May 2018. Businesses that fail to comply can be saddled with administrative fines that can reach the greater of EUR 10,000,000 and 2% of the world annual turnover of the previous year.
The present article describes in a very practical way the actions that a business established in France must take in order to comply with the GDPR, assuming it is currently complying with the law No. 78-17 of 6 January 1978.
Such a business shall maintain a record of personal data processing activities ("processing activities") of which it is the controller. The record template proposed by the French data protection authority, the Commission Nationale Informatique et Libertés (the "CNIL"), contains a list of processing activities and a descriptive sheet for each processing activity. Each processing activity sheet must indicate, among others, its purposes, the categories of data subjects (expression referring to the physical persons whose personal data are being processed), the categories of recipients and, "where possible", the envisaged time limits for erasure of the different categories of data.
It is recommended to identify the processing activities using the same nomenclature as that developed by the CNIL in its dispenses, simplified norms, unique authorisations, reference methodologies and normal declaration recommendations, and to verify that each processing activity are conforming to the recommendations of the CNIL in each of these documents as regards the categories of data collected, time limits for erasures and categories of recipients.
If the business also acts as data processor within the meaning of the GDPR (if it processes personal data on behalf of a controller), it shall maintain another record for these processing activities.
The GDPR exempts from these obligations businesses that employ less than 250 employees but the exemption avails only for processing that is «occasional», not likely to result in a risk and not in relation to sensitive data or criminal convictions and offences.
Data protection clauses and notices shall be updated given the new information that must be communicated to data subjects (employees, clients and suppliers who are physical persons, physical persons representing clients and suppliers that are legal entities ).
Any consent form shall be updated given the new prescriptions.