Governance procedure of DIDOMI has been labelled by the CNILJune 6, 2018byJulie Tamba
Just before the French Data Protection Authority ceased this activity, DIDOMI has obtained probably the last label delivered by the CNIL.
Under a decision 2018-240 dated 24 May 2018, the CNIL has acknowledged that the governance measures implemented by DIDOMI meet the requirements of the reference document in relation to procedures aimed at protecting personal data.
What is a label?
Label pre-May 25th
Under the French data protection act, the CNIL was authorized to grant labels to products and procedures aimed at protecting personal data.
One of these labels (among four) covers governance procedures of companies: it was created in 2014 to demonstrate compliance of such procedures with the French Data Protection Act then was amended in 2017 to demonstrate compliance of such procedures with the General Data Protection Regulation.
This label delivered to DIDOMI is the confirmation by the CNIL that the procedures we have implemented adequately protect personal data under the General Data Protection Regulation.
Certification post-May 25th
The GDPR expanded this French feature to the whole EU territory and gave new options in that regard. Now the certification could either be delivered directly by the Data Protection Authority (option 1) or by a private certification body on the basis of criteria approved by the Data Protection Authority (option 2).
The CNIL has decided to transform its activity, from option 1 to option 2, from the 25th of May onwards: although reference documents still remain in the hands of the CNIL, the certification operation itself will be realized by privacy certification bodies in accordance with European usual schemes of certification.
DIDOMI therefore obtained the last (or one of the last) label delivered directly by the Data Protection Authority itself, valid from 24th of May 2018 until 24th of May 2021 !
What does our label cover?
How we manage data related questions
The procedures we have implemented concern:
- How we analyse our processing to make sure they comply with the GDPR: this includes a general analysis of compliance, a specific analysis of risks (Privacy Impact Assessment), a review of concerned recipients and contracts, etc. ;
- How we ensure transparency with persons about what we do: this covers how we inform persons about our processing in our Privacy Center, how we disclose and update our commitments in terms of data protection and how we plan to notify the CNIL and the persons of any breach of personal data (hopefully we will never need this one!);
- How we answer requests from the persons in relation to their rights: this covers a specific internal calendar and circuit making sure appropriate answers are brought to the person within appropriate deadlines ;
- How we ensure the implementation and follow up of any data protection related matter: this includes methods to internally raise awareness of employees, regular meetings to review ongoing projects, record of our processing both as a data controller and as a data processor, annual audit and review of our procedures, etc.
How we comply with the GDPR
Basically all these procedures do not make us any better than any entity complying with the GDPR: in fact, they all aim – simply and plainly – at complying with the GDPR.
Why they do give us an advantage which deserves to be mentioned is very straightforward: because GDPR is quite complicated to implement and we have conceptualized a clear manner to optimize such implementation.
This sounds like nothing yet it is so useful to deal with this intricate regulatory framework!
What does it mean for our clients?
First of all, it means that clients can entrust us with their own personal data because we process it the best way we can!
Most importantly, this means that we will try to help them move towards even more compliance.
We are not selfish and are not planning to keep these procedures for ourselves: on top of the current functionalities we offer (flagships are our enhanced record, our consent management system and our Privacy Center) we will add new tools, new functionalities and new tips inspired from these procedures.
Our goal is to use our experience of privacy and technologies to make privacy management as simple as possible for companies, so stay tuned because there is much more to come!