Banner GDPR compliance: start by identifying your personal data

31st of March 2021 marked the end of the “reasonable period” granted by the CNIL to companies to respond to the latest directives on the protection of personal data. Adopted in October 2020, these directives were intended to limit the impact of advertising cookies. Today, this deadline has come to an end and the body in charge of personal data protection has announced an increase in controls. In fact, companies must ensure that their entire data collection, analysis, production and development process complies with standards. This is an important, but not insurmountable task, which must begin with the identification of personal data...

1. Identify the data to better understand the actions to be taken and avoid problems

When an organization is collecting data, problems can quickly acumulate. Between the different collection channels, the different types of data or the numerous storage spaces, it is easy to get lost. In fact, it is important to carry out preparatory work before each use of data in order to define a “framework for the collection and use of data”, ensure compliance with the GDPR and be able to act quickly and efficiently in the case of an issue.

However, not all organizations have yet implemented this process and are therefore exposed to risks during the various phases of data collection and use. It is therefore essential for these organizations to take action and analyze their datasets in order to comply with the legal framework and to be able to deal confidently with a potential inspection by the CNIL.

Personal Data and Anonymisation: 5 tips for a successful anonymization project

2. Adopt a proactive and pragmatic approach

Given the magnitude of the task of complying with the GDPR directives, experts recommend adopting a reasoned working method, with an analysis of all channels of incoming information as starting point. Thus, the first step involves listing all spaces where data is potentially stored. This includes, but is not limited to, databases (SQL, NoSQL, etc.), software package storage, emails, etc.

The effort involved in producing such a census can be considerable. The more detailed the list is, the more relevant the detection work will be. In addition to facilitating the compliance task, a prior analysis of the scope of the work makes it easier to frame the project and, above all, keep costs under control. This avoids turning a compliance project into a financial disaster for a company.