This new European regulation concerns the protection of personal data and replaces the missions assigned to the CNIL in France, while reinforcing security.
Applicable from May 2018, the data protection reform has 3 objectives:
1 ) Strengthen people's rights, in particular by creating a right to the portability of personal data.
2) Make data processors accountable.
3) Enhance the credibility of regulation through greater cooperation between data protection authorities, especially transnational ones.
Are you concerned by the European Data Protection Regulation?
Yes, if you have a file of your association's members and store their personal data (date of birth, e-mail address, etc.).
Yes, if you have a file of contacts to whom you send emailings/newsletters.
Yes, if you have employees and store their personal data.
What are the main principles of the RGPD?
You must ensure that the individual has given you their "informed" consent to be part of your file; i.e., they must be able to know what information you are storing about them and what your use of it is.
You must justify why you are storing this data.
You must provide for the individual to request the deletion of their personal data at least as easily as they have given their consent (right to be forgotten).
What type of data are we talking about for a professional association?
Companies (and associations) will have to keep a complete register of all personal data processing activities. By wayof example, here is the information that this register must contain for an association's membership list.
1 -Purpose of processing:
Sub-purpose 1: Payment of annual membership fees.
Sub-purpose 2: Sending out information concerning the profession (events / research grants / regulatory changes / information campaigns / new studies, etc.).
Sub-purpose 3: Studying member profiles to better target the recruitment of new members.
Sub-purpose 4: Reimbursement of travel expenses for meetings organized by the association (scientific committee, board meetings, etc.).
2 - Categories of personal data concerned:
Identification data
Civilité, Titre, Prénom, Nom, Adresse, Code Postal, Ville, Pays, Email, Etablissement, Sexe, Téléphone, Sur-spécialité, Activité principale, Mode d'exercice, Date de naissance, numéro RPPS, Fonction, Type de membre, Numéro de membre, Nationalité, Information de parrainage (Nom et prénom du parrain, email).
Vie Personnelle
Economic and financial information
Payment date, means of payment, check-issuing bank, IBAN.
Connection data
Login, password.
Location data
3 - Categories of persons concerned: Members of the association
4 - Recipients: Association members
How to make the implementation of the RGPD a reality in your association?
The RGPD provides for an implementation methodology of which you will find on the CNIL website the 6 steps to follow, to comply with this new regulation: https: //www.cnil.fr/fr/principes-cles/reglement-europeen-se-preparer-en-6-etapes
SOME RECOMMENDATIONS TO IMPROVE YOUR UNDERSTANDING OF THESE 6 STEPS:
Step 1: Appoint a pilot
The role of the pilot is to act as your association's data protection contact.
In the event of an audit, it is the pilot who will be interviewed, and who must be able to show that you have put in place measures to guarantee the protection of your members' and employees' personal data.
The delegate general is therefore usually the most appropriate person for this role.
Steps 2 and 6: Identify your data and document it
This step involves defining the purpose of all the personal data you store (called "Processing" in the RGPD regulation). Each processing operation must be listed in the register: there is a template file to complete available via the following link: https: //www.cnil.fr/fr/cartographier-vos-traitements-de-donnees-personnelles (European regulation register template). This is the register that will be audited in the event of an inspection and that will enable you to see whether you have properly applied your RGPD obligations.
For each of your identified processing operations, you may need to justify, if it doesn't seem obvious, why such and such data is necessary for that processing operation. In the previous example, let's take the case of the RPPS number to be able to manage members. You will then need to complete the register by explaining that the RPPS number is necessary to ensure that the member is indeed registered as a doctor, and as such has the right to access scientific information available in the member area on your site.
Specific documentation is also required if you store sensitive data (data protection impact analysis). Sensitive data includes information on health, racial or ethnic origin, political or religious opinions, etc. There is no such thing as sensitive data stored by the association, but be sure to check.
Similarly, if you transfer some of the personal data you store, outside Europe (for example, you send your membership list to an American association or service provider) then you need to make sure that it complies with the same rules as those imposed by the RGPD even if those are not mandatory in its country. If in doubt, we advise you to abstain.
Steps 3,4 and 5: comply with RGPD standards
Focus on collecting consent
It must correspond to the file's intended use (you can't do everything by default). You must ask your members what type of information they agree to receive and how they wish to receive it (email, sms, postal mail). The consent update must be done during 2018.
In a forthcoming Colloquium newsletter, we'll deliver practical advice on how to collect consent, particularly for newsletters.
What are the risks of non-compliance with this regulation?
First and foremost, the RGPD was put in place for large web companies as well as all start-ups, mobile applications or websites that store a lot of personal information. As an association, you are not the first to be affected by these regulations. But in the event of an audit, it's important to show your good faith and to be able to present what you've put in place to map your data, and of course to demonstrate that you're not using this data without authorization or control. The penalty for non-compliance is 4% of sales or €20 million.
GDPR: General Data Protection Regulation. GDPR, General Data Protection Regulation
GOOD TO KNOW: The CNIL has published a practical guide for doctors on implementing the RGPD - click here
