The CNIL is the french supervisory authority (SA, in GDPR terms) and so is the equivalent of the ICO. The CNIL is one of the most active SA and is regularly publishing information and guidelines on the GDPR.
For example, it has published a 6 steps approach to GDPR compliance. Unfortunately, it is in French, so for all my English speaking network, I summarised it in English.
The french version is here
The CNIL's Approach
Step 1: Appoint a DPO or a project manager
The CNIL takes the view here that a GDPR project is better driven by the DPO from the outset (or if a DPO is not required by a similar profile). This means, to me, that the DPO would have project management skills, which is not a stated requirement in the GDPR.
Step 2: Build a Record of Processing Activities
This is article 30, “Records of processing activities”.
The CNIL even provides a template, in excel format, that you can download here, nothing is this template is out of the ordinary as it matches what is described in the articles.
- Even though Article 30 will not apply to most organisations of less than 250 people, it is still a good practice to have: it documents what the context around data processing (how, why, where, who, when, what) and will definitely help you with your compliance effort.
- For large organisations and/or for processors dealing with multiple customers requiring regular update to this document, using a spreadsheet will rapidly create issues due to the likely regular update by many of this document. This is one of the many reason why we recommend using dedicated tools to construct a data map, leading to an Article 30 register of processing activities.
Step 3: Prioritise the changes you have to make
You need to look at your processing activities, documented in Step 2, and see if there are shortfalls that can negatively impact data subjects rights. This is a gap analysis to identify the changes you will need to make so that, in particular:
- You have only the data you require and not more (minimisation)
- You have a lawful basis for processing (consent, contract, legitimate interest, …)
- You have appropriate privacy notices (article 13)
- You have updated your contract with 3rd party to reflect their obligations to be GDPR compliant
- You can deliver data subjects rights (data portability, rectification, access right, the right of erasure, …)
- You have security measures in place (ISO 27001 for example)
You can prioritise and implement those changes based on the risks scoring those gaps have on data subjects rights.
Step 4: Perform a DPIA (Data Protection Impact Assessment)
Using the Record of Processing Activities you might have identified activities showing risks for the rights of data subjects. For those processing activities you perform a DPIA.
- The GDPR does not really mandate you to run a DPIA on existing processing, but for new processing activities only matching the criteria for a DPIA. It's interesting to see that the CNIL sees this as a requirement in a compliance work.
Step 5: Develop internal processes
This means creating organisational and technical measures to support the regulation:
- Changes to comply with the Privacy by design and by default requirements
- Awareness and training programmes for all staff on data protection
- Implement processes to respond to data subject rights: access request, data portability, … )
- Develop a data breach reporting procedure
Step 6: Document your compliance
Have up-to-date documentation to demonstrate compliance.
- Record of processing activities (article 30)
- Data transfer contracts
- Privacy notices
- Record of consents and consents version
- Processes in place to comply with data subject rights
- Third party contracts (controllers, processors)
- Data breach procedures