The General Data Protection Regulation (GDPR) was adopted in April 2016 and applies directly and uniformly throughout the European Union. It replaces the 1995 directive on the protection of personal data in European Union law and takes precedence over the provisions of the Data Protection Act of 1978. The European area therefore has a single harmonized framework, fully applicable from 25 May 2018.

One change imposed by the Regulation concerns the obligation to appoint a data protection officer (DPO). In the public sector, this obligation concerns both central administrations, decentralised bodies and local and regional authorities. In the private sector, companies whose activity consists of large-scale processing of personal data will also be required to appoint such a DPO.

In an increasingly data-driven economy, this obligation thus concerns a very large number of companies.

4 steps to compliance

The DPGR training provides an update on the new rules and tools that are mandatory as of May 2018, in order to start compliance as soon as possible in your organization. This training is addressed to CIL/DPO/DSI/RSSI/Quality and Compliance Manager.

Methodology

• Lecture course
• Practical application via interactive workshops
• Training provided by an ITrust legal advisor

The training is entirely in French and the materials are handed out at the end of the training.

The objective of this step is to take stock of the current status of the DGR requirements and then propose an action plan for compliance.

Methodology

ITrust is based on the documentary methodology enacted by the CNIL, divided into several stages:

• Kick-off meeting
• State of play
  • Documentary review (contract, IT charter, internal regulations, security policy, BCP/PRA…)
  • Technical audit
  • Identification of risk scenarios
  • Interviews with the person responsible for the information system in order to draw up an inventory of personal data processing operations by degree of sensitivity and to analyse transborder data flows.
  • Identification of existing or planned security measures
• Assessment of compliance with the DGR and action plan

On the basis of the study and mapping, ITrust accompanies you in complying with the RGPD defined by the action plan in the previous step.

Methodology

ITrust puts its expertise at the service of client compliance on legal, organisational and technical measures (ISO 27 00x, EBIOS, EIVP, PCI DSS, RGPD, RGS, security certification, PSCo…).
ITrust can, for example, propose the following projects:

• Privacy policy and articulation between the different actors (including the DPO): accountability, internet, IT charter, contract updates, etc.
• Organizational processes throughout the treatment life cycle. Examples: privacy by design, deletion of personal data, procedure in the event of exercise of the right of individuals to access their data, etc.

ITrust offers organizations the opportunity to capitalize on its RGPD compliance with their employees and customers, prospects and business partners. Indeed, the respect of the standards in this field constitutes a significant competitive added value.

Methodology

• Raising the awareness of all employees, globally or by profession
• Adjustment of internal documents (internal regulations and IT charter) by involving staff representative bodies

• Promoting the protection of personal data in corporate social responsibility (CSR) policy
• Support in obtaining the CNIL governance label