With the entry into force of the GDPR, the formalities required by the CNIL are removed. However, companies are required to prove their compliance by documenting their actions. To help them in their approach, the CNIL has published a six-step plan:
- Appoint a DPO (Data Protection Officer): to check the governance of personal data, organisations (in some cases) are required to appoint a lead person to perform a role of information, advice and control;
- Mapping the processing of personal data: in order to concretely measure the impact of the GDPR, organisations begin by accurately recording the processing of personal data.
- Prioritise the actions to be taken based on the register of processing activities, the organisations identify the actions to be carried out in order to comply with the obligations of the GDPR. They must prioritise their actions regarding the level of risks that their processing poses to the rights and freedoms of the persons concerned.
- Manage risks: if organisations identify the processing of personal data that may result in high risks for the rights and freedoms of data subjects, they must carry out, for each of these processing, a data protection impact assessment (DPIA).
- Organise internal processes: to ensure a high level of protection of personal data at all times, organisations must put in place internal procedures that ensure the protection of personal data at all times, taking into account all events that may occur during the lifecycle of a processing (ex: security breach, management of requests for rectification or access, modification of data collected, change of provider).
- Document compliance: To prove compliance with the GDPR, organisations must consolidate the necessary documentation. Actions and documents carried out at each stage must be reviewed and updated regularly to ensure continuous protection of personal data.