Compliance with GDPR requires verifying that the software used within the company respects the fundamental principles of the EU regulation, first and foremost the non-transfer of data outside the EU and the obligation to respond to requests concerning right of access, rectification, erasure, limitation and opposition.
Countless IT solutions are likely to be in violation of GDPR. These may firstly be office automation and telecommunications tools, such as electronic messaging, word processing/spreadsheet software, scanning and reprographic tools, mobile applications, landline telephone systems and mobile or even chat / videoconferencing.
The software concerned may also be business solutions: HR (personnel management / payroll / recruitment), communication on social networks, online surveys, monitoring, production or supply chain ERP, customer relations (CRM), supplier management, accounting, access controls, video surveillance…
We must also not forget the applications developed internally, the tools used for IT development (development environments, SDKs, frameworks, etc.), as well as the components of the IT infrastructure: firewall, proxy, antivirus, application / web / file / database servers and virtualization and backup systems.
Inventory of solutions likely to transfer data outside of the European Union
An inventory of all these solutions is therefore necessary. It must firstly make it possible to highlight possible transfers of personal data outside of the European Union carried out within the framework of business activities and support functions. The verification must initially focus on the functionalities providing data flows to the solution publisher or a third-party SDK or framework provider. It is then necessary to ensure that there is no creation of compulsory accounts for the use of the service.
In the case of third-party applications installed within the network, it is also necessary to identify solutions generating data flows to the supplier (update, telemetry, etc.) or authorizing remote access. When third-party applications are installed in a private cloud, you must then ask about the location of the installation and backups and identify possible remote access by the supplier or its subcontractors. It should be noted that transfers can also be made between the different entities of an international group, via the deployment of an HR management solution, for example.
Ensuring that user access rights requests can be processed efficiently
IT solutions deployed within the company must also allow people to exercise their right of access to information that concerns them using simple and rapid methods. As a reminder, the person responsible for processing personal data must respond as quickly as possible to a request for a right of access, with a maximum of one month (GDPR article 12.3). A possibility of extending this deadline by two months is provided to take into account the complexity and number of requests, provided that the person concerned is informed within one month of receipt of their request.
The company with which the “right of access” is exercised must provide the person concerned with a copy of the personal data it holds about them. The following information must also be communicated to them: the purposes of use of the data, the categories of data collected, the identity of the recipients to whom this data is communicated, the retention period, any information relating to the specific source of the data collected and the existence of automated decision-making. It is therefore essential that the software used by the company can actively contribute to the provision of this information by delivering clear and precise data, in an easily usable format.
If the data is held by a subcontractor, the subcontractor must help the company fulfil its obligations regarding the right of access. This may be the case, for example, when employees request geolocation data from their vehicle. The employer can then turn to its subcontractor to provide this data “in an accessible form”. It will of course be necessary to ensure beforehand that the software used by the subcontractor is able to easily deliver this information. The right of access is not the only one provided for by the GDPR. The rights of rectification, erasure, limitation and opposition must also be able to be exercised smoothly and practically.
Checking the security level of third-party software
Equipping yourself with market solutions requires, as part of a GDPR compliance process, verifying that the chosen software applies a certain number of measures guaranteeing the security of the data collected and avoiding their disclosure to unauthorized third parties. This is all the more true with solutions delivered in SaaS mode.
Likewise, the tools deployed must be able to archive data which is no longer used on a daily basis, but which has not yet reached its retention period. Archives must be secured appropriately with regard to the risks presented by data archiving, the nature of the data to be protected and the impacts for the persons concerned in the event of a breach.
It is also necessary to ensure that the software publisher integrates security and protection of personal data as early as possible in its developments (privacy by design). The protection of personal data must in fact be present from the design phase and for default configurations, in order to offer the people concerned better control of their data and limit errors, losses, unauthorized modifications, or misuse of these in the applications.
The particular case of comment areas of deployed CRM software
In most CRM tools, comment areas – which allow you to follow up on a customer file or personalize the commercial relationship – must be given special attention. The information collected on individuals must in fact be adequate, relevant and not excessive with regard to the purpose of the processing envisaged. The same goes for software dedicated to recruitment. The information collected on candidates must be limited to the assessment of their skills and professional abilities to occupy the position offered.
In order to minimize the risks of non-compliance, the CNIL recommends limiting the use of free comment areas and favouring the use of drop-down menus offering objective assessments. The solutions deployed in the company must therefore be equipped with it. Carrying out regular audits and using automatic tools checking the words contained in the comment areas of the software used can also be considered. Finally, extractions of comments, when carried out regularly, make it possible to ensure compliance with GDPR. The tool still needs to facilitate this type of operation.
GDPR compliance requires careful examination of the software solutions deployed. This examination covers many aspects: possible transfers of data outside of the European Union, the ease of providing the data necessary to exercise the rights of access, rectification, erasure, limitation and opposition, as well as the level of security of the solutions concerned.