CNIL flexible on enforcement of new obligations for first months of GDPR regime

France’s Data Protection Authority, the CNIL, announced last month that in the first months of implementation of the GDPR, it may not sanction beaches of new obligations or rights resulting from the GDPR, such as the right to data portability and impact assessments. This period of grace, however, requires that the organisations are engaged in the compliance process, are of ‘good faith’ and cooperate with the CNIL.

However, if the CNIL detects breaches of well-established data protection principles, it will act immediately.

Many of the formalities under France’s current data protection law will no longer be there once the GDPR enters into force, but instead data controllers need to demonstrate accountability.

Data processing likely to present a high risk will require a data protection impact assessment that should be carried out within a reasonable time after 25 May 2018. The CNIL will allow a period of three years to complete this task for processing that has previously been subject to the CNIL’s assessment.

See the original article in French here.

At Navigating GDPR: The art of the possible, Privacy Laws & Business's 31st Annual International Conference 2-4 July, 2018 at St. John's College, Cambridge, there will be a session on the CNIL’s policies implementing the GDPR given by Florence Raynal, Head, European and International Affairs, the CNIL.