CNIL Six-Step Guide to GDPR Preparation
The Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, published a six-step guide to help companies prioritize and prepare for the EU General Data Protection Regulation (GDPR). The GDPR, of course, will be enforced starting May 25, 2018, and companies of all sizes across the globe are preparing now. The CNIL’s six steps are highlighted below
Step 1: Designate a Pilot
- Per Article 37 of the GDPR, designate the Data Protection Officer (DPO). A DPO is required in public bodies and in companies in which the controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”
Step 2: Map Your Processing
- Start with a precise inventory of the data you are processing and where it is flowing and to whom. The registry of data processing will allow you to take stock of your compliance obligations.
- UPDATE –– CNIL Tools:
Step 3: Prioritize Actions
- On the basis of your data map, identify the actions you must take to comply with current law and future obligations under the GDPR and other law. Prioritize your action based on the data map with regard to the risks that your treatments place on the rights and freedoms of the data subjects concerned.
Step 4: Manage Risks
- If you have identified processing that could pose a high risk to the rights and freedoms of data subjects, you will need to conduct a Data Protection Impact Assessment (DPIA) for each of those activities.
Step 5: Organize Internal Processes
- To ensure constant data protection at the company, put in place internal procedures that ensure that data protection is taken into account at all times (e.g., policies and procedures regarding security breach preparedness, management of access or rectification requests, modification of data collected, vendor management, etc.).
Step 6: Document Compliance
- To prove your compliance with the GDPR, you must create and consolidate the necessary documentation of the steps you have taken at each of the above stages. The actions and documents created at each stage must be reviewed and updated regularly.
OneTrust tools can help you comply with the above steps, from DPIAs to data mapping, all of which are geared towards GDPR compliance and are intended to provide you with the documentation you need to prove your compliance.