Companies that process personal data within the EU are required to develop a data protection policy. What does the law say about data protection? What does the law require? Must a business designate a data protection officer (DPO)? In this article, we address the most important questions about data protection while explaining how to comply with regulations.

What’s in this article?

• What is personal data?
  
• What is personal data processing?
  
• What are the current regulations that address personal data protection?
  
• What are the principles of the General Data Protection Regulation (GDPR)?
  
• What does the GDPR require?
  

What is personal data?

Personal data—also referred to as “personal information”—is information that enables an individual to be directly or indirectly identified. Personal data could include first or last names, social security numbers, telephone numbers, email or Internet Protocol (IP) addresses, internet behaviors, or photographs. Anonymized data (i.e., data that eliminates the possibility of identifying the individual) is not considered personal data. The same applies to data related to a legal entity, such as a company.

What is personal data processing?

Personal data processing refers to a large number of processes applied to personal data. These processes can include collecting, recording, organizing, storing, modifying, consulting, suppressing, extracting, disseminating, and deleting data. These activities can be computerized or not.

Examples of data processing include maintaining a customer’s file, collecting prospects’ contact information, and storing IP addresses. Most often, personal data processed by companies is related to customers, suppliers, prospects, employees, and job candidates.

What are the current regulations that address personal data protection?

Since May 25, 2018, the General Data Protection Regulation (GDPR) has served as the framework for data collection and management within the EU. The GDPR has standardized the regulations for all public and private entities who process personal data within the EU. Here are the principle entities involved:

• Organizations created within the EU, such as startups, small and midsized businesses, large companies, associations, professional organizations, and public entities

• Foreign companies that target European citizens

• Processors collecting and managing personal data on behalf of other businesses

For example, a company based in China that processes the personal data of an individual in France must comply with the GDPR.

What authority is in charge of personal data protection in France?

The National Commission for Information Technology and Civil Liberties (Commission nationale de l’informatique et des libertés, or CNIL) oversees the protection of personal data collected by public and private entities. CNIL provides support to companies as they comply with applicable regulations and is responsible for sanctioning those that do not comply.

What are the principles of the General Data Protection Regulation (GDPR)?

The GDPR is based on several principles. Personal data processing must be lawful, transparent, temporary, and secure, and it must take place only when necessary (i.e., data minimization). Here is more information about each principle:

• Lawful purpose
  Every time personal data is processed, there must be a legal basis that justifies it. Therefore, a business cannot collect personal data without a specific and legitimate goal.

• Transparency
  All individuals must be informed of their rights and that their data is being collected. It is important that businesses facilitate the implementation of individuals’ rights.

• Data minimization
  A business should only collect data that is strictly required to meet these goals.

• Limited duration
  The duration of data storage must have a set ending date. The business must develop a clear policy about data storage.

• Security
  The business must implement security measures to protect the personal data it collects.

Note: Processors that process personal data on a business’s behalf must also comply with the GDPR.

What does the GDPR require?

The GDPR requires a company to provide information and transparency to the individuals whose data it collects. To do so, companies must obtain consent, facilitate the implementation of customer rights, maintain a processing register, and guarantee data security.

Informing individuals

A company must inform all individuals whose personal data it collects. The information must be clearly communicated and must include the following:

• Processor’s identity and contact information (e.g., a manager)

• Reason for processing

• Legal basis justifying processing (e.g., individual’s consent, execution of a contract, legal requirement)

• Mandatory or optional nature of data collection

• Recipients of the personal data

• Data storage duration

• Customers’ rights

• Right to make a claim to the CNIL

• Existence of data transfer to a country outside the EU, if applicable

Missing information can be subject to a fine of up to €1,500 for sole proprietors and €7,500 for businesses. Businesses must inform at the time of data collection, in the event of subsequent changes, or within a reasonable delay of one month (e.g., for indirect data collection).

Obtaining consent

Businesses must also obtain customer consent if the business does the following:

• Uses cookies

• Sends promotional emails

• Collects sensitive personal data

• Reuses data for other purposes

Customers must be able to give independent consent for all purposes if there is more than one purpose. Businesses cannot use checkboxes that are checked by default.

Note: Lack of consent can be punishable by five years in prison and a €300,000 fine for sole proprietors or €1.5 million for companies.

Guaranteeing individual rights

Businesses are required to respect the rights of the individuals whose data they process. These include the right of access, right of rectification, right to be forgotten, right to object to processing, and right to data portability. It is important for businesses to allow individuals to easily exercise their rights.

Maintaining written records of processing activities

A record of processing activities can provide insight into all completed activities. Maintaining a written record is mandatory for companies with more than 250 employees.

Ensuring secure data

It is important to create robust mechanisms to guarantee data security. Businesses can implement the following strategies:

• Mandatory customer authentication and access restrictions

• Daily logging systems to ensure activities are traceable

• Automatic locking, firewalls, antivirus software, and virtual private networks (VPNs)

• Regular backups and archiving of data that is not used on a daily basis

You can integrate Stripe Checkout directly on your website to strengthen the security of your customers’ data. Checkout facilitates entering and reusing customer payment data while managing sensitive card data in full compliance.

Other obligations

If a business processes personal data on a large scale, it can be required to designate a DPO. In addition, when a business’s processing activities present a heightened risk for customers’ rights and liberties, a Data Protection Impact Assessment (DPIA) becomes mandatory.

If personal data is transferred outside of the EU (e.g., data transferred to a subsidiary in China or a foreign contractor), businesses must request permission from the European Commission. An adequacy decision must be adopted for the business to be able to transfer its data.