GDPR Support

Ensure Your Compliance with GDPR

Non-compliance with GDPR can result in penalties and administrative fines of up to 4% of annual turnover.

Our tailored program is designed to provide the best support for your organization through five key themes:

Maria KAZANSKAYA

GDPR Consultant
maria.kazanskaya@bdo.fr
BDO Strategy & Performance Department

The first step involves analyzing your personal data processing activities. The goal is to create a detailed map that enables you to:

  • Draft your data processing register.
  • Identify processes requiring a data protection impact assessment (DPIA).
  • Pinpoint risks related to your compliance status.
  • Prioritize actions based on identified risks.

Raising awareness includes:

  • Employee training through an e-learning module to meet your obligation to educate staff.
  • Appointing and training GDPR representatives within your organization to handle inquiries from employees, clients, and suppliers.

Achieving GDPR compliance is an ongoing improvement process. In the event of an audit, you must demonstrate that an action plan is in place and actively maintained.

The action plan includes:

  • Necessary updates to align employee data management with GDPR requirements.
  • Drafting mandatory policies and procedures.
  • Preparing the data processing register.
  • Reviewing required privacy notices on your website.
  • Establishing registers for rights requests and data breaches.
  • Implementing a data retention framework.
  • Controlling subcontractor compliance.

The Data Protection Officer (DPO) oversees your data protection policy—a key role offering significant benefits. GDPR imposes strict rules on appointing a DPO to avoid conflicts of interest, meaning the DPO cannot hold other responsibilities in your organization.

Whether mandatory or optional for your organization, our outsourced DPO offers:

  • Document management for compliance through a dedicated software platform.
  • Representation to the CNIL (French Data Protection Authority) as your point of contact for compliance matters.

The DPO ensures:

  • Privacy by design in applications or processes.
  • Organizing awareness and information flows with a training and communication plan.
  • Addressing claims and requests from individuals exercising their rights (access, rectification, objection, portability, consent withdrawal).
  • Anticipating data breaches, including notifications to the relevant authorities within 72 hours and prompt communication with affected individuals.

An impact assessment evaluates risks to individuals when processes meet at least two of the nine predefined criteria.

Examples include:

  • Workplace video surveillance.
  • Vehicle tracking for employee use.
  • Professional whistleblowing mechanisms.

For high-risk residual threats, the impact assessment must be submitted to the CNIL.