France: CNIL takes ”very pragmatic approach” to GDPR enforcement

22 February 2018

The French data protection authority (‘CNIL’) published, on 19 February 2018, a press release outlining its approach in terms of enforcing compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) from 25 May 2018. In particular, CNIL stated that for the first few months it will make a distinction between fundamental principles and new obligations or rights. While with respect to the former, strict compliance checks will continue to be upheld, the controls in relation to the implementation of new obligations or rights will be carried out with a view to providing organisations with a good understanding of the operational implementation of the GDPR. Provided that an organisation acts in good faith, engages in the compliance process and cooperates, CNIL outlined that it is unlikely that such controls will lead to sanctioning procedures in the first months of the GDPR’s application.

Cécile Martin, International Counsel at Proskauer Rose LLP, told DataGuidance, ”CNIL has taken a very pragmatic approach to the implementation of the GDPR. I am not surprised [as CNIL has] always taken a very pedagogic attitude in order to encourage companies to comply with data protection law and accompany them along the compliance process, rather than sanctioning them. CNIL understands that companies are doing their best to achieve compliance with the GDPR and has acknowledged that certain aspects of the regulation either imply a requirement for specific technical measures, which will take time and coordination, or involve further documentation from CNIL, particularly in relation to Data Protection Impact Assessments (‘DPIAs’).”

CNIL will not require DPIAs to be carried out immediately with regards to processing activities that have been subject to prior formality or have already been registered. Nonetheless, a DPIA should be carried out for high-risk processing activities ‘within a reasonable time which can be estimated to be within three years from 25 May 2018.’ Additionally, CNIL stated that DPIAs will have to be completed without delay for all new processing activities and for those which have undergone a substantial change prior to the implementation of the GDPR.

[It] could be helpful for companies to document their compliance by maintaining a register of data processing, even if, according to the GDPR, a data protection officer is not required or if their employee count is less than 250

Martin added, ”According to the GDPR, the local data protection authority has an obligation to publish a list of data processing activities which require a DPIA, as well as a list of activities that do not. As long as these lists are not published, it is quite difficult for CNIL to sanction companies for failure to comply with the DPIA requirements. Furthermore, CNIL is well aware that in a context where companies need to become familiar with the methodology for conducting a DPIA and the accountability principle, both of which constitute a big change to what they have been used to doing […] it is important to educate them so that they conduct DPIAs in an appropriate way, rather than sanctioning them immediately. On this point, it is quite interesting to note that CNIL has issued an open source tool for helping companies to conduct a DPIA.”

Besides the DPIA software, CNIL has developed further tools to assist professionals in preparing for and complying with the GDPR. These include a six-step preparation method, guidelines for interpreting key points of the GDPR, and a frequently asked questions section. Furthermore, CNIL is currently working on guidelines for small and medium-sized enterprises, as well as preparing standard form templates and informative lists confirming which data processing activities are subject to DPIAs.

Martin noted, ”[Organisations should] focus on making sure that all of the fundamental and basic principles, such as data subject rights, the opposition right, the security measures, data minimisation, the international transfer of data, etc., are well respected and documented in the event of an on-site inspection by CNIL [it] could be helpful for companies to document their compliance by maintaining a register of data processing, even if, according to the GDPR, a data protection officer is not required or their employee count is less than 250. Compared to some other regulators, CNIL has a more flexible approach to the new obligations, however […] this flexibility is [not] going to last [forever]. Therefore, it is of the utmost importance that data controllers continue to roll out their GDPR compliance programme.”

ANGELA POTTER | Junior Privacy Analyst