The General Data Protection Regulation (GDPR) will come into effect in France on May 25th, and companies are expected to start implementing measures for compliance with the new data protection rules applicable from May 25th, 2018. In this context, the French data protection authority (CNIL) has recently published guidelines exposing its strategy on how it expects companies to comply with the GDPR.
(1) CNIL's strategy with respect to pending preliminary formalities
The current French data protection law is based on a system of preliminary formalities to be carried out by companies in order for them to be able to lawfully process personal data. Although this system is still in force today, the GDPR will soon repeal such formalities and instead will require companies to be able to demonstrate their continued compliance to the GDPR obligations (e.g. by preparing records of their data processing activities).
Although most of the pending preliminary formalities will soon disappear, professionals are still, in theory, obliged to declare all such formalities until the entry into force of the GDPR. In this respect, the CNIL will not be able to review all pending or future authorization requests that are submitted prior to May 25th and, in particular, will not be able to review incomplete or incorrect declarations.
The CNIL therefore invites data controllers to prioritize their actions by complying instead with the GDPR's substantive rules and to prepare, if necessary, a data protection impact assessment (DPIA) in order to comply with the GDPR once it comes into force.
(2) CNIL's strategy with respect to DPIAs
With respect to DPIAs, the CNIL is preparing a list of processing operations that are subject to mandatory impact assessments and another list of processing operations for which, on the contrary, no DPIA is required. These lists will be published soon and should make it easier for controllers to assess whether or not they must carry out a DPIA. In the meantime, the CNIL has set out a clear strategy for checking data processing activities depending on whether a company has carried out prior formalities before the GDPR comes into force.
On the one hand, the CNIL will not require the immediate performance of a data protection impact assessment for processing operations that have been regularly notified or registered with the CNIL before 25th May 2018 (e.g. normal declaration or prior approval) or that are listed in the DPO's list of processing activities, unless such processing operation presents a high risk, in which case the CNIL expects the data controller to carry out a DPIA within a reasonable period and no later than 3 years from 25th May 2018.
On the other hand, companies will not be able to benefit from this 3-year grace period if a DPIA is required because a given processing activity is likely to present a high risk:
- For processing operations prior to 25th May 2018 that have not been filed or registered with the CNIL;
- For processing operations that have been registered with the CNIL prior to 25th May 2018 but which have undergone substantial changes since then;
- For any new processing activity that is carried out after 25th May 2018.
(3) CNIL's strategy with respect to sanctions
With respect to enforcement and sanctions, the CNIL has announced a two-tier approach depending on the types of obligations that are infringed by organisations.
Regarding the fundamental principles of data protection which remain essentially unchanged (lawfulness of processing, retention period, data security, etc.), the CNIL will continue to verify compliance with these principles rigorously during its inspections.
However, with respect to the new obligations and rights under the GDPR (right to portability, impact assessments, etc.), the CNIL's inspections will focus mainly and initially on accompanying companies in their understanding and compliance with the GDPR. In the first months that follow the GDPR's entry into force, where an organisation is acting in good faith and can demonstrate that it has engaged in a compliance program and is willing to cooperate with the CNIL, the purpose of the CNIL's inspection should normally not be to sanction that organisation.
Also note that the French Data Protection Act has been amended so watch this space for our next article on the key amendments to the French Data Protection Act.
With special thanks to French trainee-lawyer, Loriane Sangaré-Vayssac, for her help in preparing this article.