Guide juridique

🕑 3 minutes

Startups: Preparing for GDPR compliance

RGPD Conformité données personnelles

Designed for start-ups, this guide aims to provide a concise overview of the various steps required to prepare for GDPR compliance.

For more technical information on this topic, we recommend reading all of the firm’s publications.

Find all of PCS Avocat’s publications and advice.

GDPR Compliance: An Obligation for All Businesses

The protection of personal data is primarily governed by the French Data Protection Act of January 6, 1978, and the recent General Data Protection Regulation of April 27, 2016.

In practice, since May 25, 2018, all companies are required to comply with the principles and rules established by these texts, failing which they risk substantial financial penalties: up to €20 million or even 4% of global turnover.

Several examples of CNIL sanctions

Bringing a company into compliance with the GDPR requires addressing several issues, particularly related to its personal data processing, contractual frameworks, IT security, and employee training.

A GDPR audit is the first and most important step for companies that are not yet compliant.

GDPR & businesses: What is personal data?

Personal data legally refers to any data that allows a natural person to be identified, directly or indirectly.

  • This usually includes first and last name, photograph, date of birth, video, voice, fingerprints, etc.
  • This also includes information that allows a person’s identity to be determined through a third party: this is particularly the case with telephone numbers, license plates, social security numbers, IP addresses, etc.
  • It can also be deduced from a combination of various information: age, medical history, and travel records can all together allow a person to be identified.
  • Finally, this data can concern customers, employees, interns, suppliers, and external service providers within a company.

Failure to understand the applicable rules can have significant consequences for companies: see our overview of common GDPR errors.

GDPR Audit: Scope of research and analysis

The GDPR imposes accountability on companies, which must be able to demonstrate their data protection compliance in the event of an audit or request from partners. As such, it is no longer necessary to file a CNIL declaration.

The GDPR audit is part of the analysis of all the elements required for any company established or offering its products and services within the European Union. Companies must, in particular, demonstrate:

  • The existence of an up-to-date data processing register; this document consolidates all personal information collected for all of the company’s activities: human resources, website, newsletter, customer management, accounting, etc.
  • The preparation of impact analyses throughout the company’s development, particularly in the event of a new processing implementation;
  • Control of the company’s various service providers and subcontractors and their own compliance with the GDPR in your dealings.

These GDPR audits can be carried out by a member of the company, competent in the matter, or by an external service provider, generally audit firms or specialized lawyers.

RGPD - Protection des données personnelles - Sanctions CNIL & voies de recours

GDPR audit in practice: duration and cost

The GDPR audit is designed to provide a comprehensive and complete overview of all of a company’s internal processes regarding personal data.

Mapping the “data flows” collected and processed by the company, it requires the identification of the various relevant stakeholders and departments in order to create the first mandatory document: the processing register.

Young companies and digital startups generally have numerous data processing processes, which require auditing as soon as possible. The duration and cost of audits necessarily vary depending on the complexity and development of the company, ranging from a few hours to several days, or between €1,000 and €10,000.

GDPR Compliance Procedures

To anticipate any audits or requests from a partner company, it is important for each company to adhere to certain practices:

  • Appoint a Data Protection Officer (DPO);
  • Update contractual documents with clients and partners;
  • Secure processing systems;
  • Define procedures for access and exercising individual rights;
  • Educate and train employees and staff members.
  • Update communication materials: website, cookies, newsletters, etc.

Find all the procedures for implementing the GDPR

Écrit par :

Publié le : 28/07/2023
Mis à jour le : 01/12/2025

PX Chomiac de Sas