On 25 May 2018, the European Directive on the protection of personal information (GDPR*) will come into force. All companies affected will need to bring their processes into compliance or face a fine of up to €20 million or 4% of their annual worldwide turnover.

In light of the risks, some companies may see the GDPR as a constraint, especially in terms of their organisational structure. However, the new regulation heralds a real opportunity for all those concerned, since it means (re)focusing the contract formation processes and supplier relationships on the buyer.

* General Data Protection Regulation

When does the GDPR apply?

The GDPR will apply to each service involving the use of personal information.

Outsourcing, CRM, purchasing information systems, accounting software… document conformity will no longer depend solely on companies’ goodwill, but also on suppliers’ ability to send information in accordance with the future regulation.

As such, buyers will play a key role in checking for compliance.

 The six steps for complying with the new regulation

1.   Designate a project manager

You will need to appoint a project manager to lead your GDPR project. Information, advice and operational implementation: the project manager, or owner, will be the single point of contact for organising all the necessary actions and staying on schedule.

2. List all the processes involving the use of personal information

To understand how the new regulation will affect organisations, you must first review all the internal and external processes involving the use of personal information.

3. Prioritise the required actions

Once the register of processing activities has been established (see step 2), all that remains is to arrange the actions in order of priority in terms of the likely risk of influencing the freedom of the people concerned.

4. Manage the risks

If major risks to people’s rights and freedoms are identified when prioritising the actions (see step 3), the objective will be to quickly carry out a privacy impact assessment (PIA) for each action.

 5. Implement internal processes

To ensure maximum protection of personal information, organisations should focus on internal processes allowing them to keep constant track of all events that could potentially emerge during the life of a processing activity, such as a change in supplier, management of access requests and a modification to the data collected.

6. Document the compliance

Clarify your compliance as much as possible by grouping the necessary documentation together: the actions carried out to achieve the level of compliance and the work regularly required to maintain the level of data protection. This ultimate step is necessary to demonstrate that your organisation is in compliance with the level of conformity required by CNIL.