GDPR compliance is a complex process requiring the intervention of at least an IT specialist and a lawyer. Indeed, it is a question of ensuring adequate computer security as well as an organization of the data making it possible to limit the amount of processed data.

Phase 1: Implementation of GDPR compliance:

The first phase marks the designation of a pilot: this step consists of appointing a data protection officer who can be the manager of the company.

Phase 2: Organization of GDPR compliance

– mapping of personal data processing: this involves drawing up a register of operations making it possible to keep track of the categories of personal data (in order to determine whether it is sensitive data, data relating to recruitment, payroll management, training in the management of customers and prospects, etc.), the objectives pursued, the actors, the flaws). The map will include at least the following elements:

o the purpose of the processing (why does my structure collect data and what are the limits of collection and processing?),

o the data retention period (it depends on the purpose),

o the categories of data (is it sensitive data?),

o the persons concerned by the data,

o the recipients of the data (i.e. determining the persons having access to the data),

o the security measures applied to the processing,

The organization of the processing of personal data involves the insertion of a “GDPR” clause in contracts and general conditions of sale. In case of any doubt about the application of the GDPR to a contractual relationship, a GDPR clause should be inserted. Indeed, a professional email address whose format would be “” would be qualified as personal data when it contains a first and last name. Exposure to personal data law and the GDPR is therefore constant.

It is necessary to consider data minimization, i.e. to plan to collect only the data strictly necessary in order to carry out the activity in question. GDPR compliance is an opportunity to improve internal practices.

– establishment of priorities: depending on the sensitivity of the data – which will have been established during the mapping – the actions to be carried out will be prioritized, measures in order to proceed with the erasure of data which would not be strictly necessary will be proposed (subject to subject to the limitation period applicable to each contract), the information notices of the persons concerned will be reviewed and if necessary, proposals for modifications will be made, finally the procedures for exercising the rights of access, rectification and withdrawal in particular will be proposed;

Phase 3: Protection of the data controller against the risk

– risk management: for personal data likely to generate high risks, an impact study relating to data protection will be carried out – a description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to fundamental rights.

Remember: although computer protection and the improvement of internal data processing will limit the risks, it is advisable to prepare for any eventuality. Data presenting the highest risks (data concerning in particular religion, union membership, etc.) will be subject to special processing.

Phase 4: Improvement of the internal organization and preparation for a control by the CNIL

– organization of internal processes: internal processes will be proposed in order to mitigate the risks of IT security breaches from the creation to the destruction of data, in order to deal with requests for changes to data (right of rectification, right of opposition etc…);

– documentation of compliance: the data controller is responsible for proving compliance with the GDPR, this means that She must compile the documentation in order to face any control by the CNIL ;

– train partners and associates / employees: it is advisable to provide for a charter for the collection and processing of personal data and to ensure continuous training for the staff of the structure. Data processing compliance is constantly evolving and should be regularly monitored. As such, the CNIL website makes it possible to follow the evolution of regulations and good practices.

The firm can provide you with a model register to help you with your GDPR compliance.