On January 13, 2015, the French Data Protection Authority (the “CNIL”) published a Referential (the “Referential”) that specifies the requirements for organizations with a data protection officer (“DPO”) in France to obtain a seal for their data privacy governance procedures.
According to the CNIL, “governance of personal data” (also called “governance of IT and Civil Liberties”) includes all the measures, rules and best practices that allow private and public organizations to manage personal data in compliance with data protection principles. The goal of the Referential is to assist organizations that have appointed a DPO in France to (1) implement these measures, rules and best practices; and (2) improve accountability.
The Referential includes 25 requirements that apply cumulatively and are divided into three categories.
1. Internal Organization Related to Data Protection
This category relates to the organization’s data privacy policies and DPO, and includes requirements:
- To have an internal privacy policy that defines the role and responsibility of each actor involved in the implementation of data processing operations. The internal privacy policy explains how the organization protects personal data and contains the organization’s primary data protection principles.
- To have an outward-facing privacy policy in French. This policy informs the relevant external individuals (such as customers and vendors) about the processing of their personal data.
- That the DPO be appointed for all data processing operations within the organization.
- That the DPO report directly to a member of the executive board, have attended all of the CNIL’s training sessions on basic data protection principles, data security and HR issues, and have appropriate means (including an annual budget) to fulfil his or her duties.
- That the DPO create a comprehensive register of all processing operations implemented by the organization that contains significantly more information than the information currently provided by the DPO in its register (e.g., how any consent was obtained, the use of cookies, etc.).
2. Method of Verifying that Data Processing Operations Comply with Data Protection Law
This category includes the requirements to (1) conduct data security risk assessments, (2) implement appropriate data security measures to address the risks identified, and (3) conduct periodic audits (internal or external) to ensure that the processing operations that pose the highest risk are compliant with law.
3. Assessment of the Management of Data Subjects’ Complaints and Data Incidents
This category includes the requirements to have specific procedures to handle data subjects’ requests and manage data security breaches. The procedure for data security breaches must cover or include (1) the detection of breaches; (2) that information concerning the breach be conveyed to the DPO in less than 24 hours of detecting the breach; (3) a determination of the nature of the breach; (4) that the DPO formulate recommendations and send those recommendations to the data controller; (5) the data controller’s action plan; and (6) the implementation of corrective actions and the DPO’s advice about the implementation, as well as a revision of the previous risk analysis, if appropriate. In addition, the individuals affected by the data security breach must be notified of unauthorized access to their data by a third party in less than 72 hours.
According to the CNIL, compliance with the requirements in the Referential will allow companies to prepare for the accountability obligations that will be introduced by the proposed EU General Data Protection Regulation. In this respect, the Referential confirms that the DPO is the strategic cornerstone of accountability and data privacy compliance.