Personal data processing has become a major concern for the French. According to IFOP, 69% of them are concerned. In other words, your prospects and customers are likely to be asking you about it (very soon).
Legal departments are aware that compliance with the RGPD is a priority. But where do you start when there are thousands of pieces of data? And how can a contract management solution help with this mission?
RGPD compliance: why get started today?
For several months now, you’ve been alerting senior management to the importance of getting to grips with the RGPD. Unfortunately, you haven’t received any concrete feedback from them. So here are a few arguments that might convince them.
✨ Good to know: CNIL inspections are becoming increasingly frequent (135 for the year 2021), and they concern large structures as well as SMEs or start-ups.
RGPD compliance: a marketing asset
Internet users are constantly confronted with phishing, unwanted e-mail advertising and nuisance calls. Faced with these intrusive practices, more and more people are wondering in whose hands their information will end up.
Moral: being respectful of the data entrusted to you – and making this known – becomes an obvious competitive advantage. This is all the more important if the company wishes to develop a relationship of proximity and trust with its customers.
CNIL control: a real risk
As soon as you are in possession of information relating to an identified (surname, first name) or identifiable (e-mail, telephone, image) natural person, you come under the jurisdiction of the CNIL.
No company is spared. All it takes is one complaint or one report for this eminent organization to come knocking at your door.
Regardless of the type of inspection carried out (on site, by invitation, online or documentary evidence), the Commission will evaluate your internal processes and related documents. It’s best to have prepared the groundwork.
The 3 pillars of a successful RGPD audit
Before you get started, it’s essential to get organized. Here are our 3 recommendations to get you started.
1) Appoint a data protection officer, and give him/her the means to succeed! ????
Someone in the company absolutely has to wear this hat. Usually, it’s the legal department or the CIO. However, depending on the importance and sensitivity of the data in question, it may be advisable to hire or appoint a Data Protection Officer( DPO), either in-house or as a service provider.
This person will act as the conductor of the orchestra, listing all the departments that deal directly or indirectly with data (marketing, after-sales service, sales, etc.). The hardest part will be getting the cooperation of operational staff. That’s why the company must not only train him or her, but also provide the necessary resources for the job.
2) List partners and subcontractors that are not RGPD compliant ✅
Actors subject to the RGPD must maintain a register of subcontractors. It is therefore necessary to check that all subcontractors who process personal data:
- RGPD subject anticipated contractually (e.g. have signed an RGPD clause) ;
- are included in the register of subcontractors.
✨ O ur advice: give preference to partners and subcontractors who have certifications and full compliance with the RGPD. Otherwise, you could be criticized for entrusting data to a structure that isn’t secure enough or that doesn’t respect your customers’ privacy. Similarly, pay attention to digital sovereignty. The CNIL is quite hostile to data hosting outside the European Union. It has even just issued a formal notice to a French site manager who uses Google Analytics. In conclusion, work with structures that operate on our territory or that of the EU.
3) Get the basics right: cookies and privacy policy ????
Some cookies require the consent of visitors (display of personalized advertising or sharing on social networks). If the user refuses these cookies, they cannot be deposited on his or her terminal. In order to comply with the law, set up a banner system recommended by the CNIL. Find out more here.
The privacy policy requires more thought. It will be the result of an internal investigation, since this mandatory document, accessible from your site, describes how the data collected on your site is used.
It must include mandatory information such as the contact details of the person responsible for data processing, the purpose and destination of the data, the customer’s right to object, access and rectify, etc.
???? Also read: How do I know if it’s time for a compliance check-up?
DiliTrust: an automated audit to set up an effective roadmap
The hardest part is yet to come! You need to clean up your liabilities by reviewing the content of your contracts. What’s at stake? Analysis, and thus implementing corrective actions to handle user data in compliance with the RGPD.
How does a contract management solution like DiliTrust want to help you with your RGPD audit?
Did you know? DiliTrust is a turnkey solution that automatically identifies key information in your contracts based on certain criteria (applicable law, level of responsibility, etc.). This gives you a global view of the actions you need to prioritize, such as obtaining the consent of a customer segment, signing an endorsement for the use of a particular piece of data, and so on.
Your worst enemies in an RGPD audit: lack of time and mistakes
Without a solution like DiliTrust, the task ahead of you proves to be as indispensable as it is tedious. Your job here is to manually record in an Excel spreadsheet, contract by contract, the data that is affected by the RGPD. The work is therefore colossal, especially if there are branches in France or abroad.
Gathering thousands of contracts by hand is not ideal, especially if you’re in an emergency situation (such as being summoned by the CNIL or if an investor considers compliance an essential condition). At this stage, errors and incompleteness are commonplace.
DiliTrust: artificial intelligence and automation for fast, reliable harvesting
The sinews of war in an RGPD audit? Identify, then quickly extract contractual data.
To do this, you can configure fields such as date of signature, specific clauses, period, parties, etc., to find all the data you’re looking for in just a few clicks, and export it to Excel. The technology intelligently supports you in this work and drastically reduces oversights and errors.
For example: you want to automatically compare existing clauses in contracts with the European Union’s standard contractual clauses, to find out whether your clauses comply with EU requirements. DiliTrust does it for you!
✨ Good to know: The European Commission has made available and updated standard contractual clauses on the subject: more information on this subject here.
RGPD standard clauses must contain 7 elements:
- 1/ treatment description
- 2/ obligations of the service provider towards the beneficiary
- 3/ subcontracting
- 4/ data transfer
- 5/ right to information
- 6/ safety measures
- 7/ documentation and auditing
Does DiliTrust respect the RGPD and the privacy of its users?
The answer is yes! Our legaltech has obtained ISO/IEC 27001:2013 international certification for information security management systems, and its extension for privacy protection ISO 27701:2019.
In concrete terms? With DiliTrust, your data is managed within a highly protective framework (hosting security) and, above all, is processed in compliance with the RGPD (your privacy matters to us).
Want to see how DiliTrust helps you achieve RGPD compliance?
