Protection of personal data: the impact of the GDPR on web projects
Posted: Tue Dec 10, 2024 5:02 am
It is in this context that the European Parliament and the Council of the European Union published, on April 27, 2016, the new regulation on the protection of personal data .
But ultimately, beyond the 99 articles contained in the text, what are we talking about? What are the impacts of the GDPR on web projects , and above all, what steps should be taken?
impact of GDPR on the protection of personal data
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation defines the framework within which organizations can process personal data . According to the CNIL, "between increased uses of digital technology and the development of e-commerce, the legal context is adapting to keep up with developments in technology and our societies."
Since May 25, 2018, all organizations processing or storing personal data must be in compliance, under penalty of being fined. This is a European regulation (EU regulation 2016/679 of April 27, 2016) which replaces the Data Protection Act of 1978. Directly applicable, the GDPR therefore does not require transposition into domestic law or an implementing decree.
The scope of the GDPR
Its scope of application is broad since it concerns:
All processing of personal data (PD) by an organisation located in the EU;
All processing of personal data, carried out by any company or paytm database administration regardless of its location, which relates to an offer of goods or services or monitoring of the behavior of people located in the EU.
This second condition therefore involves all organizations, in particular companies, whatever their size, to the extent that they manage the data of their employees, but also of their customers, in particular through their online presence on e-commerce sites or social networks.
The GDPR in continuity with the Data Protection Act
The very logic of the GDPR is not new, since the principles relating to personal data of the 1978 law are present. This European regulation therefore follows on from the French Data Protection Act , but nevertheless introduces reinforced requirements.
In fact, the 1978 law was essentially aimed at guaranteeing a legal framework for:
Fair and lawful collection of data;
The obligation to determine processing purposes which must be explicit and legitimate;
Data security and the right to information, opposition and access for individuals.
Obligations regarding the protection of personal data
Today, the GDPR is enriched with new concepts such as:
Documentation and justification of processing compliance : companies that previously had to draft declarations or requests for authorization to the local supervisory authority (in France the CNIL), will no longer have to do so. However, they will be required to keep a register of data processing to record, throughout their life cycle, information relating to their regulatory compliance and the protective measures implemented;
Reporting data breaches to the supervisory authority within 72 hours, and possibly to the data subjects in the event of potential harm;
The concepts of Privacy by design (these requirements must be integrated from the design stage of applications) and security by default (the default security of infrastructures processing or collecting personal data);
Impact analysis for critical processing (assessment of risks linked to the processing of personal data);
Guaranteeing new rights for data subjects and strengthening the right to erasure and to be forgotten.
Finally, if the Data Protection Act has made it possible to lay the foundations for the principles of personal data protection , the approach of the GDPR regulation has been profoundly revised. Its operational implementation is also very different.
What are the risks of GDPR?
The excitement surrounding the GDPR comes mainly from the fact that it poses new risks for any publisher of a website or web application.
But ultimately, beyond the 99 articles contained in the text, what are we talking about? What are the impacts of the GDPR on web projects , and above all, what steps should be taken?
impact of GDPR on the protection of personal data
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation defines the framework within which organizations can process personal data . According to the CNIL, "between increased uses of digital technology and the development of e-commerce, the legal context is adapting to keep up with developments in technology and our societies."
Since May 25, 2018, all organizations processing or storing personal data must be in compliance, under penalty of being fined. This is a European regulation (EU regulation 2016/679 of April 27, 2016) which replaces the Data Protection Act of 1978. Directly applicable, the GDPR therefore does not require transposition into domestic law or an implementing decree.
The scope of the GDPR
Its scope of application is broad since it concerns:
All processing of personal data (PD) by an organisation located in the EU;
All processing of personal data, carried out by any company or paytm database administration regardless of its location, which relates to an offer of goods or services or monitoring of the behavior of people located in the EU.
This second condition therefore involves all organizations, in particular companies, whatever their size, to the extent that they manage the data of their employees, but also of their customers, in particular through their online presence on e-commerce sites or social networks.
The GDPR in continuity with the Data Protection Act
The very logic of the GDPR is not new, since the principles relating to personal data of the 1978 law are present. This European regulation therefore follows on from the French Data Protection Act , but nevertheless introduces reinforced requirements.
In fact, the 1978 law was essentially aimed at guaranteeing a legal framework for:
Fair and lawful collection of data;
The obligation to determine processing purposes which must be explicit and legitimate;
Data security and the right to information, opposition and access for individuals.
Obligations regarding the protection of personal data
Today, the GDPR is enriched with new concepts such as:
Documentation and justification of processing compliance : companies that previously had to draft declarations or requests for authorization to the local supervisory authority (in France the CNIL), will no longer have to do so. However, they will be required to keep a register of data processing to record, throughout their life cycle, information relating to their regulatory compliance and the protective measures implemented;
Reporting data breaches to the supervisory authority within 72 hours, and possibly to the data subjects in the event of potential harm;
The concepts of Privacy by design (these requirements must be integrated from the design stage of applications) and security by default (the default security of infrastructures processing or collecting personal data);
Impact analysis for critical processing (assessment of risks linked to the processing of personal data);
Guaranteeing new rights for data subjects and strengthening the right to erasure and to be forgotten.
Finally, if the Data Protection Act has made it possible to lay the foundations for the principles of personal data protection , the approach of the GDPR regulation has been profoundly revised. Its operational implementation is also very different.
What are the risks of GDPR?
The excitement surrounding the GDPR comes mainly from the fact that it poses new risks for any publisher of a website or web application.