Understanding GDPR compliance

What solutions in my organisation?
May 23, 2018 by
Understanding GDPR compliance
INFORUM, Elsa Kopp
Odoo CMS - une grande photo

GDPR affects all of us!

This article is about informing and sharing our experience of GDPR implementation. It is also a summary of what you can find online to help you during this process. We included concrete examples related to the dry-cleaning profession and a process adapted to very small, small and medium businesses. 

1. Quick subject definition 

What is GDPR?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
Source Wikipédia

What for?

In our profession (dry cleaner’s, laundry, textile care), we need to create files for our customers and prospects. To invoice, to deliver clothes to the right customers, to know delivery locations, to notify customers when their order is ready…

The GDPR is useful to reinforce and standardise the protection of personal data you have collected from people living inside the European Union.


When?

Adopted by the Parliament on April 14 2016. Applicable across Europe on May 25 2018.

Who is concerned and where?

Everyone! Craft firms as well as multinationals are concerned as long as they manage the treatment of personal data of people living inside the European Union.

Why do it?

This regulation aims to make companies managing personal data aware of their responsibilities, to allow people to exercise their rights and to increase date treatment security.

Complying with GDPR is also a way to make your company grow by improving the internal processes, as you make sure that the data you keep is useful, up to date and safe.

Keep in mind that the penalties in case of non-compliance may be very heavy (4% of year turnover or 20 million euros!).

How do we do it?

Several sources can help you head for GDPR compliance:
- The CNIL  provides a guide
CMA
CPME

2. The "good reasons" to comply

The CNIL joined forces with BPI France to create a real practical guide for very small, small and medium businesses: Guide with downloadable practical sheets

The first lines set the pace, as the CNIL’s CEO, Isabelle Falque-Perrotin, is being reassuring:

“We should stop the alarmism about GDPR! With this guide, we want to show the small and medium businesses that being in compliance is easy if only you adopt the right behaviours. As consumers are more and more caring about their personal data, tying a trusting relationship with your co-workers, clients and prospects is also useful for the company. Finally, the axe won’t fall on companies on May 26.”

Concerning Inforum, we are convinced that complying with this regulation implies some advantages. Here is our interpretation:

1. It allows to reinforce trust. By proving that the data you collect is treated rigorously and responsibly.

2.  It improves your sales efficiency. And yes, no scoop here, but having a base of 20,000 customers is useless if you don’t keep it up to date. Obsolete phone numbers, misspelled names, duplicate files, passing customers or customers who moved. An updated file is first of all a good and efficient prospection base!

3. Minimise “useful” data. A company manages an ever-growing quantity of data. What if you only kept useful data? GDPR brings you to ask yourself 2 fundamental questions: do I really need to collect this data regarding my objective? Is my data still up to date and in line with the collection’s objective?

4. It helps you secure the company’s internal data. Yes, your data also has value! Protecting your data is crucial, just like making sure that your means of production work well. Not convinced yet? Ask yourself a simple question: what would the impact of a data theft on my company, in terms of image, unfair competition and so on?

5. Reassure your customers! As you know, simply asking for a phone number may sometimes raise your customers’ suspicion, although your intentions are good. Pointing out your responsible approach will help you in those situations.

3. Two key terms to understand

Le RGPD vous demande de vous assurer de la sécurité des données personnelles faisant l’objet d’un traitement au sein de votre entreprise.


Qu'est-ce qu'une donnée personnelle 

All data attached to an identified or identifiable individual is personal data.

Why identifiable?
An individual can be identified directly via his first name or surname for example. But also indirectly via his phone number or social security number or even thanks to data linkage.

Example: you have women clothes and a registered address. In this case, you could identify the person, even if you don’t have any direct identification (surname, first name).

What is personal data treatment?

The answer is obvious: it is what you do with data! This covers collection operations, records, organisation, preservation, adaptation, use, communication, linkage…

Each treatment must have an identified goal. This logic implies that we cannot collect data “just in case” we could use it later.

Examples:
- A customer name is personal data.
The collection and preservation of this name in a file in order to allow the return of the clothes to the right customer are a treatment.

What about the customer file? The “customer file”, for instance, may be a computer file but also a paper file. Nothing forces you to use a computer! But all personal data is concerned, whatever format is used.


4. Move into action... in several steps!

Here is the process Inforum follows to be in compliance with the GDPR (in reality our process is longer, but here we present the steps that can be adapted to your companies):

STEP 1 - List and map data

List the treatment activities of the company. Example: payroll management, training, prospects management, customers management…

Creation of a file for each listed activity, including:
- The goal of each treatment (example: winning customers’ loyalty)
- The naming of used data (or “categories”, examples: name, birth date…)
- The list of people having access to data
- The duration of data preservation

The manager is responsible for this register. You will find a simple model  here.

STEP 2 - Sort out!

For each treatment, ask yourself the following questions:

  • Do I really need all this data?

Example: don’t keep your customers’ birth date if you don’t use it for special offers on this particular day, when the objective of the treatment is winning your customers’ loyalty.

  • Do I manage “sensitive” data?

Examples: political, religious and philosophical views, union membership… See page 53 of the  CNIL/BPI’s guide  for more information.
In this case, you need to analyse the impact, or stop keeping this data.

  • Do the data only accessible by authorized personnel? Do they have access only to what they need?

  • Is it absolutely necessary to keep this data so long? Why?

It is also the good time to do the cleaning!


STEP 3 - Respect people’s right

We finally come to the regulation ends. To respect the rights of the people you collect data from, you must systematically inform them at each collection, on every format used (information on a questionnaire, form, counter…):

  • Why do you do this collection?
    To find items, to inform your customers in case of trouble…
  • What gives you the permission to do so?
    People’s consent, respect of a legal obligation or your “legitimate interest”.
    In most cases, you should try to get people’s consent.

  • What preservation duration?
    5 years from the last order, for example.

  • Who has access to data?
    Especially if you use it internally, or if you may outsource the data treatment (outsourced marketing for example).

  • How can people exercise their rights?
    For instance, indicate an e-mail address, a postal address, a web site, and ask people to contact a specific department or person.

  • Finally, specify if data will be transferred outside the European Union.

The objective is to be clear, concise and transparent. If the notices seem too long, you can write a first summary and send the reader to a more complete privacy policy.
Transparency is mandatory.

You also need to allow them to easily exercise their rights:
The rights for access, correction, opposition, deletion, portability and treatment limitation are rights you must guarantee.
  • Use all means you think useful: phone number, e-mail address, dedicated form on your web site… 

  • Make sure to create a process adapted to the treatment of these requests.

  • Don't forget: not only personal data from your customers is concerned, but also data from your employees for example.

STEP 4 - Secure your data! (last step)

It is time to think about securing your data. Several simple questions to ask yourself:

  • Are internal and external user accounts protected by complex enough passwords? If I use paper files, are they kept safe?

  • Is the access to the premises secure?
    Think about the access to your paper files or to your computer outside opening hours.

  • Are distinct profiles created according to the user needs to access data?
    The goal is to see only what we need! Check if your IT tool allows you to adapt employees’ profiles for example (salesperson, administrator…).

  • Do you have a back-up and data recovery process in case of incident?
    Paper files might be destroyed by mistake: are there copies somewhere?
    Computer failure might occur: do I have daily back-up? What is the process in case of hardware failure?

5. References and useful links

  • Bill adoption by the French Parliament:  LINK

  • GDPR in the Official Journal of the European Parliament: LINK 

  • GDPR in a more understandable format, including a search field (offered by  ALGOLIA) : LINK

  • GCNIL's 6-step preparation guide:  LINK

  • CNIL & BPI’s guide for very small, small & medium businesses:  LINK

Texte Odoo et bloc d'image
Odoo image et bloc de texte

6. What about INFORUM?

We are affected by this regulation just like you, and we are really convinced that our service quality will benefit from its implementation. We hope this little guide will allow you to start serenely this new regulatory step. One more in our profession! But we are not alone!

Be aware that our tools and services already have functions available to help you during this compliance upgrade.

For example, GestiClean V10 and Brooclean allow you to:
- Control the access to personal data with passwords
- Manage profiles for your employees
- Archive, edit and anonymise your customers’ personal data
- Perform back-up or exports

Besides, all your data is completely managed by us inside the European Union (servers located in France and Belgium).

Odoo CMS - une grande photo
Understanding GDPR compliance
INFORUM, Elsa Kopp May 23, 2018
Share this post
Archive