The GDPR for an alumni association

Small lexicon:

• GDPR = General Data Protection Regulation
• DPO = Data Protection Officer
• DC = Data Controller
• SB = Subcontractor
• Processing: any operation, manual or automated, made on personal data (collection, modification, consultation, export…)

The GDPR (General Data Protection Regulation), or GDPR in English, is the European reference text on personal data protection for EU residents that came into force on May 25, 2018.

The objectives of the GDPR are to strengthen the rights of individuals regarding their personal data (and the duties of those in charge of processing them). For example:

To comply with the GDPR, three main principles must be kept in mind:

1. Logic of compliance (Accountability) :

VYour association must implement internal mechanisms and procedures to demonstrate compliance with data protection rules. It is therefore advisable to anticipate potential risks rather than wait for a possible sanction by asking yourself the question: who would want to retrieve/use your database and for what purpose?

For example:

The GDPR also establishes a co-responsibility regime for processors. Contractually, the latter undertake, among other things, to implement adequate protection measures and to alert the data controller in case of data leakage.

For example:

Proactively, RT incorporates privacy by design into a service or product and throughout the data lifecycle, from collection to deletion. In addition, the highest level of protection will be enabled by default.

For example:

1. APPOINT A DPO (DATA PROTECTION OFFICER)

Ideally endowed with legal and technical skills, the DPO is the data protection officer. He or she is in charge of informing and advising his or her team on the obligations of the GDPR and of checking the compliance of the processing carried out by the association and its subcontractors (NetAnswer, printer, person in charge of the mailing…).

We suggest that you create an alias for your own domain name, so that your DPO can be contacted at dpo@YOUR_DOMAIN. This will allow you to communicate easily with your members, while being able to put several recipients behind this alias (your DPO but also your president or any other person who could be required to respond to a request from one of your members).

FOR OUR CUSTOMERS

The DPO of NetAnswer is Loïc Février, he will be the contact person at NetAnswer for your DPO. If you have not yet appointed a DPO (Data Protection Officer), we invite you to send us the contact details of the person who will occupy this role in your structure in order to facilitate our exchanges by sending an email to dpo(at)netanswer(dot).fr

2. MAP YOUR PERSONAL DATA PROCESSING

To concretely measure what impact the GDPR has on the protection of your data, accurately list your personal data processing operations by qualifying them in a register established by your DPO. It must contain:

• Name and contact details of the RT (the association) and the DPO,
• Purposes of the processing (automated or not) carried out on the data,
• Categories of data and data subjects,
• The categories of recipients of the data,
• The actors (internal or external) who process these data (in particular the subcontractors),
• The deadlines for the deletion of the data if requested;
• A description of the technical and organizational security measures.

3. PRIORITIZE THE ACTIONS TO BE TAKEN

Once the register has been filled in, you will have a global view of all the processing carried out and will be able to identify those that pose a problem in the context of the GDPR. You will then be able to carry out the actions to comply with them in order of priority, being particularly vigilant on the following points:

• Make sure that only the data strictly necessary for the pursuit of your objectives are collected and processed
• Identify the legal basis for your processing (consent of the person, contract, legal obligation…)
• Review your disclosures to ensure that they comply with the Regulation
• Check that your subcontractors are aware of their new obligations and responsibilities, and make sure that there are contractual clauses reminding them of the subcontractor’s obligations in terms of security, confidentiality and protection of the personal data processed
• Provide for the modalities of exercising the rights of the persons concerned
• Check your internal security measures.

4. MANAGE THE RISKS

If you have identified personal data processing operations that are likely to generate risks, you must conduct a data protection impact assessment (DPA) for each of these operations.

For each processing operation (internal or by a TS) likely to generate high risks, an impact analysis must be conducted by the DPO :

• What event may present a risk to individuals?
• What situations make such an event possible?
• What is the probability and impact of this risk?
• What measures can be taken to address/mitigate these risks and comply with the GDPR?

This impact analysis is performed jointly by the RT and the ST. Thus, NetAnswer accompanies its customers in this process to define the treatments we carry out for them.

Example:

• Considered event: a laptop is lost/stolen.
• Situation: an administrator has a copy (of a part) of the database on this laptop (excel export for example).
• Impact of the risk: the postal and email addresses of the members can be used for canvassing, identity theft, phishing….
• Action to be taken: Is there a need to have this copy on this laptop? Is it possible to encrypt this data and decrypt it if necessary? Determine who can export or store this type of data. Limit the data exported. Make people aware of the risks involved. Delete data exports once they have been used (after an event, for example).

5. ORGANIZE INTERNAL PROCESSES

To ensure that this action plan is sustainable, processes must be put in place to guarantee the integrity of the data throughout its life cycle, from collection to deletion, and to train internal teams.

Example:

In the event of a data breach, the data controller must inform the CNIL within 72 hours of becoming aware of the breach by communicating:

• Nature of the breach,
  ,
• Number of persons concerned,
• Type of data concerned,
  ,
• Name and contact details of the DPO,
• Probable consequences,
• Measures taken or to be taken.

Data subjects must be informed as soon as possible by communicating:

• Nature of the breach,
• Name and contact information of the DPO,
• Probable consequences,
• Measures taken or to be taken.

Concerning the other persons, it is not specified an obligation to reach 100% of the members so a communication by email (and/or on the site) could be sufficient.

6. DOCUMENT COMPLIANCE

To prove your compliance with the regulation, you need to build and collect the necessary documentation. The actions and documents taken at each step must be reviewed and updated regularly to ensure ongoing data protection.

You are ready to document your compliance with the GDPR by gathering:

• The processing register,
• Any impact analyses,
• A description of the procedures put in place to inform individuals, collect their consent and allow them to exercise their rights,
• The contracts reviewed with your subcontractors,
• The internal procedures planned in case of a data request or breach.

It is therefore simply a matter of gathering the different documents showing that you comply with the GDPR and that you have planned the actions to be taken in the different cases that may arise.

SOURCES

GDPR, publication in the official journal:http://eur-lex.europa.eu/legal-content/FR/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.FRA&toc=OJ:L:2016:119:TOC

https://www.cnil.fr/fr/se-preparer-au-reglement-europeen

https://www.cnil.fr/fr/reglement-europeen-sur-la-protection-des-donnees-un-guide-pour-accompagner-les-sous-traitants

https://www.cnil.fr/fr/le-droit-la-portabilite-en-questions

ANY QUESTION ?