The fourth anniversary of GDPR raises many questions. While record fines have been imposed in recent months, totalling more than a billion euros, companies are still struggling to consider compliance as a strategic project.

 

Launched on 25th May 2018, GDPR (General Data Protection Regulation) has just celebrated its first four years of existence. As a European regulation, the text adopted four years ago was directly applicable throughout the EU without requiring transposition in the various member states (unlike a directive).

The concept of a one-stop shop, which is a real novelty for GDPR, is intended to harmonise the decisions of data protection authorities concerning cross-border processing at European level. This is an unprecedented mechanism to ensure cooperation and consistency between these authorities.

More than 800 cooperation procedures were implemented between 2018 and 2021; following which, nearly 300 final decisions were adopted. The CNIL (Commission Nationale Informatique & Libertés—the French data protection agency) was designated lead authority for 94 of these files and concerned authority for 400 of them—A file generally corresponds to a typology of breach for a given body and can include several complaints.

 

79% of additional breach notifications received by the CNIL in 2021

In France, the CNIL lists 5,037 breach notifications received in 2021 (counting only full notifications and initials), compared to 2,821 notifications in 2020, a significant increase of 79%.

There are several reasons for this sharp increase. One reason is the strong growth of computer attacks, particularly by ransomware, which are the main cybersecurity threat for companies, local authorities and public bodies. Another reason is better appropriation of the notification obligation resulting from better consideration of cybersecurity issues within organisations, as well as the definition and implementation of internal processes to detect and react to violations of personal data. A further reason for the sharp increase is wave notifications. These are when a subcontractor is affected by a security incident and informs its many customers, who then proceed to the notification themselves.

 

EUR 1.6 billion in fines imposed over the past four years

At European level, the pace of fines imposed by Europe on certain companies that do not comply with GDPR has accelerated sharply over the past 12 months. While the amount in fines was only EUR 300 million a year ago, it has now jumped to more than EUR 1.6 billion, with record fines imposed by Luxembourg on Amazon (EUR 746 million), and by Ireland to WhatsApp (EUR 225 million).

In France, the CNIL imposed 18 sanctions last year, including 15 fines, for an amount of EUR 214 million compared to EUR 138 million in 2020, a significant increase of 55%. Of the 18 sanctions, half involved a violation related to the security of personal data. Four of the penalties related to poor management of cookies and other tracers. Renowned companies have been caught in the nets of the CNIL: Carrefour France (fine of EUR 2.25 million), Carrefour Banque (EUR 800,000), AG2R La Mondiale (EUR 1.75 million) and Free Mobile (EUR 300,000).

 

Go beyond the fear of punishment

These fines are necessary. They serve as examples for other companies and groups, encouraging their managers to take the necessary measures so as not to be affected by these sanctions. But it is unfortunate to note that this fear of fines is still one of the main motivations for compliance.

According to many DPOs, awareness-raising efforts should be much more noticeable and become the real catalysts for the transformations expected from companies and organisations. It is essential that managers understand the issues related to GDPR as a whole. GDPR compliance is a business project in its own right. This is a systemic issue and does not depend on IT or compliance departments/DPO alone. The issue belongs to the entire management committee, who must seize it to help the DPO in their numerous and complex tasks.

 

DPO: A complex job that needs support

The DPO must ensure that all of a company’s historical applications (the legacy applications) are in compliance with GDPR, whether they have been developed internally or provided by third parties. The Google Analytics case is demonstrative of this issue: the use of this software, one of the most widely used in companies for audience measurement, today poses a problem from a data protection point of view. Following the decision of the Austrian Data Protection Authority relating to the lack of GDPR compliance of the Google Analytics tool, the CNIL spent a long time considering the case following several complaints from the NOYB association. In this context, the CNIL considers that these data transfers outside the EU were in violation of GDPR and, consequently, it was necessary to suspend the use of Google Analytics.

Beyond Google Analytics, these are all the applications—official or part of shadow IT—as well as all the Excel files, databases and other storage spaces offered by most of the collaborative work solutions of which compliance must be checked. An enormous task that many DPOs fail to accomplish due to lack of means, time, budget, and support from their general management. This observation is aggravated by the rise of hybrid work, which has multiplied the number of media on which data is stored.

 

Compliance: A strategic issue

General management today must take the subject of GDPR compliance seriously and consider the principle of privacy by design as inalienable. In order to know precisely what a company collects as personal data and to know their path and their life cycle, the mapping of existing applications and impact studies (privacy impact assessment) must be carried out.

However, the question of GDPR compliance is not just a matter of technology. Governance is also important, and assumed leadership from company management is essential. Moreover, GDPR compliance should be seen as a great opportunity to create value for the whole organisation. Leaders should quickly become aware of this in order to give their structure a head start over the competition.