This audit, based on documentation and on interviews with competent personnel, allows us to take a snapshot at a given time of your level of compliance with the GDPR and privacy legislation in general. It studies both the formal and safety aspects, for a complete and multidisciplinary approach of your compliance to the standards.
If you have already developed a RPA (Record of Processing Activities), this will be very useful for the documentation aspect of the audit.
Interviews with key officials in your entity will be conducted, in order to detect gaps between protocols and practices, but also to investigate the security measures put in place to protect personal data.
We improve our audit reports to raise their quality after every assignment and adapt them to the specific context and needs of each client. Our reports are designed by our auditors who are involved and passionate, eager to understand, to be understood and to make their interlocutors evolve. The writing, proofreading and approval phases make it possible to develop reports for you that are understandable and meet your expectations.
Our reports consist of an overall summary of the level of compliance and security, a summary by business line, if more than one is represented, and a detail of each of the elements verified and their level of compliance, as well as recommendations. These elements may take into account your particular requests: compliance with a sensitive sector of activity, prioritization by criticality or implementation cost...
The proposed remediation solutions will be sufficiently detailed for you to carry them out yourself or to call upon the actors of your choice for their implementation. We will, of course, be happy to assist you in this task if you wish. In addition, in case of significant non-compliance, we may suggest to perform a re-audit. It will allow you to keep an up-to-date and concrete view of your level of compliance with the GDPR.
We can see through this audit process that compliance with the GDPR is not just a matter of formalism. Certainly, the current normative framework for the protection of personal data includes its share of documentation. But then it is not useless to remember that form serves and conditions the bottom. So if we can design clear and structured documentation based on our privacy measures, this will bode well for the compliance of these measures with the legal requirements for PDs protection.
May 25th 2018 saw a real breakthrough in the French, European and even global digital landscape. We're talking specifically about the digital landscape because, let's face it, the GDPR didn't invent the concept of privacy, or even personal data protection. We have indeed had the French Data Protection Act since 1978 (the so-called "LIL" law), and have amended it several times so that it has relevant rules.
This is how an arsenal of moderation and sanctions existed and could be used in front of the traditional courts, as well as before the CNIL (French's National Commission on Liberties and Computer sciences). This body was created specifically for the LIL. Its mission is both to provide support to those who process personal data and to punish those who do not comply with the established rules.
The LIL has made France the first European state with legislation specifically protecting personal data. This law was adopted in a context where the processing of personal data was made increasingly easy by the computerized and automated means of the 1970s. Since then, the context has changed a lot and explains the choice of a legislative evolution through a European regulation.
We can cite a few developments to capture this changing environment.
The adoption of the GDPR has therefore made it possible to achieve the following twofold objective: protect personal data (PDs) against the new possibilities for achieving this objective developed in recent decades; and take into account the Europeanisation and internationalisation of exchanges, facilitated by their dematerialization. A widespread awareness has then taken hold of the different institutional and professional worlds, in BtoC as well as in BtoB, of the abuses, sometimes without malicious intent, that marred the collection and processing of personal data.
We then witnessed the appointment of many DPOs, including outsourced DPOs. Public and private organizations have complied with the formal exercises of mandatory disclosures, requests for explicit consent (the famous "opt-in", relegating the old "opt-out" to the back burner, because it does not allow valid consent to be collected) and RPA (Record of Processing Activities).
The years 2018 and 2019 have been marked by several phases of formal implementation of the GDPR. The previous system of prior authorisation had given way to a system of a posteriori control. Since then, it has been possible to collect and process (except in special cases) FADs without prior authorisation. But we must be prepared to undergo at any time a CNIL control of the processing of personal data. This is why this whole formal process of nominations, mentions, opt-in and documentation (the famous RPA, or DPIA - Data Protection Impact Assessment) is so important: you don't just have to do it right, you have to be able to prove it.
However, this may have been done, at least initially, at the expense of an extremely important part of the protection of personal data: their security. The formal aspect of GDPR compliance seemed so sprawling and far-fetched that we sometimes overlooked the importance of the actual safety of the PDs. And yet, it is very often on this criterion that the CNIL pronounces sanctions : the breaches sanctioned by the independent administrative authority are often constituted by a failure to sufficiently secure personal data processed by the person in charge in question, more than by a lack of documentation.
In early 2020, we have seen a collective awareness of the urgent need to secure processed PDs. Now we must get down to business... But where to start? Information systems were often not originally designed with the protection of personal data as a priority. Since security by design is the prerogative of new solutions or infrastructures, how do you untangle all the equipments, networks, and public websites?
The new order of privacy protection has gradually taken hold in our institutional and normative landscapes. First there was the adoption of the GDPR in 2016, then the famous date of its entry into force: May 25th, 2018. Then the various publications and deliberations of the CNIL, the new LIL... The first consequence of all this was a climate of certain disorganization, including for those who had implemented an action plan ahead of 2018. The compliance of our public and private bodies has been (and is still being) carried out in a piecemeal fashion as we have reforms and new information on their interpretation.
That's why today we often find ourselves with a state of compliance that is not mastered, or at least not as well controlled as we had expected or wished for. However, many scenarios require that we control this compliance in order to turn it in our favour: CNIL controls, technical incidents, malicious acts, requests to data access (employees, customers, suppliers)... Knowledge and mastery of the level of compliance with the GDPR is essential to a positive outcome to these events. In order to regain that level of information and control over one's own compliance, there is one step to (re)launch the machine: the GDPR audit.
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.