Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said that the Commission Nationale de l’information et des Liberties (CNIL), the French data protection authority, would be likely to consider the steps businesses were taking towards compliance in determining whether to take enforcement action once the GDPR begins to apply.
This is because most businesses in France are unlikely to be fully compliant with the GDPR by 25 May this year, the date on which the new Regulation takes effect, she said. Richard said it was welcome that the CNIL had recognised this fact in a recent statement.
"The CNIL has confirmed that companies that are not fully compliant with the GDPR by 25 May can expect to be treated leniently initially provided that they have acted in good faith by attempting to achieve compliance," Richard said. "Those comments by the CNIL refer only to compliance with the new obligations that GDPR introduces on organisations, such as on the right to data portability and on conducting data protection impact assessments."
"Businesses should note that the CNIL's position on enforcement will be different, and much stricter, in relation to non-compliance with the 'fundament principles of data protection'," Richard said. "These include rules on fair processing, the requirement to delete data once it is no longer necessary to hold it, and obligations on keeping personal data secure, which will be largely the same under the GDPR as they are currently."
Richard said that Pinsent Masons in Paris will be hosting an event on 12 April for businesses to help them prioritise the steps they need to take to achieve compliance with the new Regulation.
"The GDPR contains a raft of major changes to data protection law and many businesses are as yet unprepared to achieve full compliance by the 25 May deadline," Richard said. "Due to the large volume of work it will take to achieve full compliance, for many businesses it will be important to identify the main measures they need to implement as a priority before that date."
"The CNIL's statement makes it clear that businesses that have a plan in place to achieve full compliance, and are working towards it, are likely to benefit from initially lenience from the authority if they are found to be in breach of the GDPR's new requirements after 25 May. It is not too late for businesses to develop and begin to implement compliance plans," she said.
Richard said that while most of the CNIL's focus on compliance is likely to fall, initially at least, on the biggest companies with largest resources, there is a commercial imperative for small and medium-sized businesses in France to achieve compliance too.
"Because of the potential for major sanctions to be imposed under the GDPR, large businesses will be particularly conscious of ensuring that their suppliers are compliant with the Regulation too – SMEs that process personal data on behalf of larger business customers risk losing out on contracts if they fail to meet the new standards," Richard said. "Beyond that, there is also a growing feeling among the business community that the GDPR will offer business opportunities to those that 'sell' best practices on privacy and demonstrate compliance with consumers. Businesses that fail to move with this trend risk being left at a competitive disadvantage."