France’s CNIL Takes a Pragmatic Approach to GDPR Implementation
The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) has taken a very active role in clarifying what French businesses’ responsibilities will be under the EU’s General Data Protection Regulation (GDPR), coming into force on 25 May 2018. Issuing everything from guidelines for processors and SMEs to toolkits and templates, CNIL has taken a hands-on approach to demystifying the GDPR and providing clear steps towards achieving compliance.
The French DPA sees the GDPR as having a strong focus on accountability and transparency which are reflected in the regulation’s emphasis on creating products and services that take into consideration data protection by design and by default as well as the establishment of internal policies, procedures and tools that guarantee an optimal protection of individuals’ personal data.
The 6-step Method
In a handy guide entitled “How to prepare for the GDPR?”, CNIL proposes 6 steps towards GDPR compliance that companies can take:
- Appoint a “pilot”: to navigate the governance of personal data, companies should assign a data protection officer (DPO) whose role will be to inform, advise and perform internal controls. CNIL suggests assigning a person responsible for compliance even before the 25 May 2018 deadline to get a head start and formulate a plan for the measures that need to be taken.
- Map processing activities: CNIL advises companies to put together a precise inventory of their processing activities and develop a register for them that would more easily allow them to assess and continually monitor their situation.
- Prioritize the actions that need to be taken: based on the previously mentioned register, companies can identify the measures they need to take to comply with current and future compliance obligations. These can then be prioritized based on the level of risk to sensitive data.
- Manage risks: if companies identify processes that pose a high risk to the rights and freedoms of EU data subjects, they will need to conduct a Data Protection Impact Assessment (DPIA) for each process.
- Organize internal procedures: internal procedures that ensure that data protection is taken into account at all times should be implemented. These should take into account all the events that may occur during a process’ lifespan such as security breaches, requests for access to the data collected, its erasure etc.
- Document compliance: to prove GDPR compliance, actions and documents completed at each stage must be collected, reviewed and updated regularly to ensure continuous data protection.
In the complete guide, every step is accompanied by supporting documentation and templates for registering processing operations, confidentiality agreements, data breach notifications etc.
Advantages of GDPR compliance for SMEs
In April 2018, CNIL teamed up with the Banque Publique d’Investissement (Bpifrance) to issue a set of guidelines for GDPR compliance specifically aimed at SMEs as well as very small enterprises or TPEs which in France are defined as businesses with less than ten employees.
CNIL underlined the fact that a company’s size or number of employees are not relevant to GDPR compliance, but the volume and sensitivity of the data it processes are. If personal information is not at the core of a company’s activities, the resources needed for GDPR compliance will be negligible.
The French DPA also suggests that GDPR compliance has numerous benefits for SMEs that lack the complex frameworks bigger companies are built on. It suggested six major advantages that small and medium sized companies will reap from the enforcement of GDPR policies:
- Boost brand confidence: by being GDPR compliant, SMEs are seen as responsible and serious about the protection of their customers’ data, thus increasing confidence in their products and services
- Improved commercial efficiency: through increased transparency and data mapping, SMEs can more easily conduct commercial transactions, boosting the efficiency of their processes and their overall productivity
- Better management: by implementing data minimization, SMEs can accurately assess their real processing needs, leading to long-term procedure optimization
- Improved data security: data breaches or leaks can be lethal to burgeoning companies and in today’s vulnerable digital space, increased cybersecurity measures are essential for the good running of a company, no matter its size
- Reassure customers and grow businesses: in a market where GDPR compliance will be a mark of trust, customers and partners are likely to shy away from organizations unable to prove they are compliant
- Create new services: the new concepts introduced by the GDPR will be translated into new services such as data portability solutions which can become new economic opportunities
Through the GDPR, SMEs have a chance to not only improve their organizational model, but also to discover an ethical way of capitalizing on data in a harmonized European market.
A period of grace
In a press release from February 2018, CNIL announced that companies would be given a few months of adjustment after the GDPR implementation deadline, during which the authority’s main priority will be to help companies gain a better understanding of the new rights and obligations under the GDPR rather than to impose fines for non-compliance.
However, CNIL will differentiate between acknowledged fundamental principles of data protection that are already being upheld by the authority and new requirements under the GDPR. Fundamental principles include data security, accuracy and retention as well as lawful processing and data integrity, that were already being enforced before the advent of the GDPR. New obligations such as the appointment of a data protection officer, restrictions to data portability and data protection impact assessments (DPIAs) will be given some leeway in the first few months after May 25th.
While businesses across Europe cower in fear of the looming deadline that will bring the dreaded new legislation into effect, CNIL has made it its mission to ensure French businesses have a clear idea of what is expected of them and have taken a supportive rather than punitive approach to ensuring GDPR compliance.