The next General Regulation on the protection of personal data introduces new flagship concepts with which professionals will have to comply. One of them is called the “principle of responsibility”. The regulation reforms current practices in terms of compliance and impacts the principle of accountability. In fact, faced with the failure of the preliminary declaration formalities, the regulation tends to simplify the administrative procedures incumbent on companies. This notion will necessarily influence the way you generate leads. What does this new Indonesia Email List principle of accountability consist of? The principle of accountability or the disappearance of prior obligations Currently, companies that collect personal data are subject to prior declaration or authorization obligations with the CNIL. In addition, professionals generating leads and archiving them via client-prospect files are currently subject to the simplified Standard NS-048, imposing on them a prior declaration obligation.

With the entry into force of the new regulation, this obligation is set to disappear in favor of the principle of accountability. Indeed, the declarative formalities of French law will be replaced by a duty of ” compliance “, understanding of “compliance”. At the end of Article 24 of the Regulation, the controller must implement “appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation”. Thus, the principle of accountability changes this logic. Companies will no longer have to “warn” or “ask permission” from the CNIL to collect and file personal data. They will simply have to comply with the new regulations.

We go from a prior declaration of conformity

To a single a posteriori control of the processing. What are these “appropriate measures”? The new standard requires the implementation of “appropriate technical and organizational measures”. But what about exactly ? At the end of its article 25, the regulation introduces the concepts of “Privacy by design” and “Privacy by default”. Privacy by design The first can be translated as “privacy by design”. This means, for the data controller, to integrate the requirements in terms of personal data protection and privacy from the design of the software, of the technology that will process them. Confidentiality and privacy considerations are built directly into the design of the product or service. Indeed, privacy must be taken into account when developing work processes, physical environment and network infrastructure.

We are talking about a proactive approach. In addition, any new business process that uses personal data must take this notion into account. In practice, this means that an IT department must consider privacy throughout the lifecycle of the system or development process. Different tools will allow you to achieve this, such as impact studies (article 35) for example or the appointment of a data protection officer within the company (article 37). In short, this implies that these requirements are not optional but directly integrated into company practices.

Indeed, on this subject, Mr. Sadde stated that now “this logic must be part of the DNA of companies”

What is the point of such a process? Potential problems are anticipated and assessed upstream. Ultimately, this saves time, money and reduces the risk of security breaches. Privacy by default The term “privacy by default” corresponds to the expression “protection of privacy by default”. It is about the treatment itself. This concept refers directly to those of the purpose of processing, data retention and accessibility. In practice, this amounts to putting in place, for each data collection, the highest possible level of protection and confidentiality. You will need to collect strictly necessary information and treat it with fairness and care. You will have to be careful not to make them accessible to an indefinite number of individuals either.

Thus, the principle of accountability makes the protection of privacy a concern at the heart of lead generation. This process is not only intellectual since the data controller must be able to provide proof that he has done everything possible to comply with the regulation. According to Me Sadde “From now on, you will have to judge for yourself how dangerous this treatment is”. accountability The impact study: a new obligation This new regulation provides for an obligation to analyze the impact of the planned processing operations on data protection.

Leave a Reply

Your email address will not be published.