General Data Protection Regulation (GDPR)
France adopted the GDPR (RGPD – Règlement général de la protection des données) on May 25, 2018. GDPR governs the collection and processing of personal data in the European Union to strengthen the protection of the rights and freedoms of internet users, among others.
The collection and processing of personal data represent a significant risk of invasion of privacy as it involves a large amount of information on the users of services.
As such, the GDPR introduced a new principle of data protection – the Accountability Principle. In simple terms, this is another level of internal control and management of risks around collecting and processing personal data per European Union privacy rules.
Accountability Principle
The accountability principle has existed in some form or another since the 1980s, evidenced in certain provisions of the OECD rules and directives.
Before the GDPR came into force, companies that collected personal data in France were subject to certain formalities of the National Commission for Information Technology and Civil Liberties (CNIL – Commission Nationale de l’Informatique et des Libertés) that authorized the processing of personal data. While GDPR ended those requirements, it imposes accountability obligations on companies with strict responsibilities and sanctions in case of non-compliance.
The principle of accountability is a legal obligation stemming from articles 5 and 24 of the GDPR, which requires companies that collect data to demonstrate that they comply with the various mandates of articles 5 and 24. It ensures tangible traceability and transparency vis-à-vis the authorities.
GDPR requires internal data controllers to manage the implementation of appropriate technical and organizational measures to ensure that they collect and process personal data in accordance with European Union rules.
By this standard of accountability, companies are subject to control and audits by the authorities, and the former must be able to demonstrate their compliance.
GDPR’s principle of accountability, therefore, entails two main aspects of data control for companies:
- they must ensure conformity in the collection and processing of personal data à priori (prior control)
- they must be able to justify this compliance to the control authorities à posteriori (ex-post control).
Who Should Be Concerned
According to Article 5 of the European Union regulation, this principle concerns the data controller. The data controller is any legal entity (company, local authority, etc.) or individual who determines the purposes and means of processing the data an entity (business) collects.
This “controller” is usually a company’s legal function or representative with the obligation to prove a company’s compliance in case of a compliance inspection or audit.
Data processors also have responsibilities for the implementation of measures and the documentation of processing. However, the texts mandating the principle of accountability impose the ultimate obligation on “data controllers” charged with legal compliance enforcement.
GDPR enshrines two other significant principles: Privacy by Design and Data Portability.
Accountability Principle, Data Portability, Privacy by Design, and Privacy by Default
Privacy by Design
Unlike the accountability principle, the “Privacy by Design” principle aims to protect personal data from the beginning. Companies are therefore obliged to integrate this principle of personal data protection as soon as they implement projects involving data processing (launch websites, e-commerce portals, or other means of collecting personal data).
It forces businesses to anticipate the risks of possible non-compliance with the GDPR requirements by inserting preventive measures.
Key among these measures is the prohibition of collecting personal data without a legitimate reason and the deletion of personal data from a database within specific time frames if there is no legitimate need to keep them.
Privacy by Default
“Privacy by Design” is distinct from “Privacy by Default.” The latter gives the user some leeway and the ability to adjust their privacy settings. But in the context of internet use and application development, the default settings guarantee very high levels of data protection. Users can accept the default settings or change them as they wish to adjust the level of tracking and collection of personal data or online activities and are prompted and notified of the risks of these changes.
Right to Data Portability
Before explaining the right to data portability, it might be helpful to recall what “personal data” means because the broad nature of the term can lead to confusion.
According to article 4 of the RGPD, personal data is “any information relating to an identified or identifiable natural person.” An identifiable person is “a natural person who can be identified, directly or indirectly, in particular by reference to an identifier.”
Therefore, other elements such as a photo, a location, a family situation, and a social security or national ID number are also considered personal data along with a first name, surname, or date of birth. The right to portability governs all these data elements.
Article 20 of the GDPR provides the right to data portability. Portability allows the recovery of data transmitted to a platform or organization -whether for personal use or transmission to a third party. This right gives users more control over the use of their data.
However, the right to portability is not automatic for all personal data. Only those collected by the organization and directly related to the user are concerned:
- data collected by the organization that directly concerns the individual requesting the portability
- data collected by the organization where for which it had obtained explicit consent from the individual
- data collected by the organization in the context of a contract.
Anonymous data, for example, will be excluded from the right to portability.
GDPR Accountability
To comply with GDPR’s principle of accountability, the company must document extensive charters, roadmaps, codes of conduct, procedures, guidelines, or other enforcement tools to set the tone at the top from which compliance must flow. These must describe precisely the governance applied by the company to all the data it processes.
Generally classified by theme, this documentation constitutes the compliance “file” or “Accountability file” and can be kept in electronic or paper format.
Contents of an Accountability file:
Depending on the context, the accountability file should include a series of documents, such as the following:
- a processing register
- a data processing map and data flow diagrams
- a code of ethics on the fundamental principles applied by the organization
- an internal and external privacy policy
- the appointment of a DPO if necessary
- a cookie management policy
- a consent form
- methods of managing evidence of consent (traceability)
- the rights of individuals (collection of consent, right to be forgotten, right to rectification …)
- traceability of processing carried out in response to requests to exercise RGPD rights
- an Information Systems Security Policy (ISSP)
The Accountability file is one of the primary missions of the Data Protection Office[r] (DPO).
For example, a company that has suffered a breach of the personal data it holds (following a security breach, a cyber-attack such as ransomware) will have to take measures to face this breach that includes several steps: risk assessment, notification to the National Commission for Information Technology and Civil Liberties (CNIL) and above all documentation of the breach.
This documentation aims to list the nature of the violation, its effects, and the remediation actions taken by the company to correct it. The data controller must be able to present this updated documentation in the event of an inspection by the CNIL.
GDPR Operational Compliance
At the operational level, it is necessary to ensure internally that the measures and procedures are effective and efficient. The anticipation procedure must be described and formalized in the accountability file. Companies should test the effectiveness of their programs by simulating fictitious attacks to enrich this anticipation procedure and ensure that the process and procedures set out in the Accountability file will be able to function effectively.
Companies must provide for data protection measures from the moment of conception (“Privacy by design” mentioned above). In this context, data controllers must educate their employees on risk management.
GDPR Non-Compliance Penalties
Sanctions for non-compliance with GDPR obligations can vary:
CNIL Orders: In France, the CNIL may issue a call to order, requiring improvements to internal data protection processes. Sanctions may also be by temporary or complete order to stop the processing of non-compliant data.
Financial Sanctions: 4% of turnover or 20 million euros, whichever is higher.
Reputational Sanctions: Depending on the circumstances, the CNIL will publish the sanctions against non-compliant companies on its website. Beyond the financial penalty, the company’s brand image and credibility are at stake.
Legal Advice on Setting Up Internal GDPR Compliance
GDPR non-compliance is a major risk to companies, as shown above.
While GDPR APIs are available to plug into most websites, it is still a good idea to get legal advice in setting up your internal compliance function and Accountability file – centralizing the mandatory procedures and documentation to prove your compliance.
It allows you to fully guarantee the accountability principle by maintaining traceability, audit trails, and full history for all the GDPR compliance measures.
This allows you to demonstrate that your company is diligent, that it has anticipated the risks, and that it ensures compliance in its processes in the event of an audit or control by the CNIL.