How has the RGPD impacted French companies?

State of play in 2022

Coming into force in 2018, the RGPD (General Data Protection Regulation) has strengthened the compliance obligations of organizations handling personal data, and significantly increased the penalties applicable in the event of failure to comply. Initially, the GDPR was perceived by companies as a constraint. The first risk of this European-sourced regulation was obviously financial, so companies had to make major investments (human, technical and financial) in order to comply.

The RGPD has established strong principles, constituting as many obligations, that companies are required to respect; we can cite as an example:

• Specific legal bases for processing, of which consent is one,
• The right to be forgotten, by deleting personal data at the request of the people concerned,
• Mandatory information,
• The principle of purpose limitation,
• A safety requirement.

Looking at the figures from Data Legal Drive's RGPD barometer, it appears that nearly one in two companies (47%) consider that they have a level of compliance with RGPD obligations. Nearly a third (31%) of organizations have appointed a Data Protection Officer (DPO). In addition, this barometer reveals that:

• 65% of organizations have strengthened their IT security systems,
• 60% have trained their employees on the RGPD,
• 53% have updated their legal notices and privacy policies, and are doing a good job of managing cookies.

By 2022, nearly 30% of companies have digitized their personal data processing records, compared to only 14% in 2019.

Cookie management is a priority for 58% of respondents. Nearly 67% of companies have thus integrated a CMP (Consent Management Platform) into their website. For comparison, in 2019, only one website out of three was in compliance with the RGPD. According to the barometer, companies feel helped and consider, for example, easier the collection of consent from Internet users since the CNIL guidelines on this specific subject.

The fear of sanctions tends to increase as the CNIL has developed a simplified enforcement procedure, making it easier to handle the number of complaints. The increase in cyberattacks is also prompting companies to accelerate the implementation of security measures that comply with Article 32 of the GDPR.

What are the penalties for non-compliance?

The maximum penalties provided for by the CNIL are 20 million euros or 4% of annual (worldwide) turnover, whichever is greater. The fines applied are increasingly numerous and depend on the size of the structures, but also on the offence committed.

When breaches of the GDPR or the law are brought to its attention, the CNIL's restricted panel may:

• Issue a call to order,
• Enjoin to bring the treatment into compliance, including under penalty,
• Temporarily or permanently limit a treatment,
• Suspend data streams,
• To order the satisfaction of requests for the exercise of the rights of individuals, including under penalty,
• Impose an administrative fine.

Between 2018 and the beginning of 2022, the CNIL issued 25 sanctions against companies or administrations, for amounts ranging from 3,000 euros to 90 million euros.

What is the situation in France?

Not all members of the European Union have allocated equivalent resources to their supervisory authorities to support and sanction breaches of the RGPD. In this respect, France is in the middle of the pack in terms of budget and resources allocated to the RGPD transition.

The new budget of the CNIL in 2022 is 24 million euros, far behind the German budget of 85 million euros. The CNIL's staff is also relatively small compared to the immensity of the task; in 2022, the number of agents is expected to drop to 263.

France is still in a good average range. However, between the politics of companies and the limited means faced with the magnitude of the task, the French transition to the RGPD is far from being completed.

Progress still expected

Despite this awareness and the continuous progress of French companies' compliance, many of them are not yet RGPD compliant. The Data Legal Drive RGPD barometer highlights some of the obstacles to a successful compliance, such as the lack of time (for 56% of the respondents) and of clear directives from the general management, or the absence of an action plan.

The study found that French companies are increasingly training their employees on the RGPD, for example through meetings with business departments, targeted communications, etc. More than 38% of companies have deployed at least one e-learning module dedicated to the RGPD regulation in 2022.

If the RGPD is still mostly perceived as a regulatory obligation for companies, more and more managers are also aware that it allows them to respond to security and ethical issues.

What about Ellisphere?

At Ellisphere, the personal data processed is exclusively for B2B use and includes data from mostly public sources, but also from private sources. The collection of certain company data by our public sources meets legal obligations as well as the official publicity that is made afterwards.

Ellisphere's mission is to put data at the service of its customers' business challenges by offering solutions that meet their business development and regulatory compliance requirements.

The recourse to the legal basis supposes that the interests (for example commercial) pursued by the organization processing the data do not create an imbalance to the detriment of the rights and interests of the persons whose data are processed. Thus, in Ellisphere's business, everything is framed according to this balancing act, in the continuity of previous processing.

Ellisphere has made the processing of personal data a major issue for its organization. The respect of the RGPD and the protection of the data are in the heart of the concerns of the company.

Thus, in 2022, Ellisphere obtains again the Professional Label Privacy Protection - Pact. This label reinforces its legitimacy, which is based on technical and organizational security measures and processing that respect the RGPD. This label identifies Ellisphere as a data confident organization.

Bibliography: 

RGPD Barometer Data Legal Drive 

https://www.data.gouv.fr/fr/datasets/protection-des-donnees-personnelles-dans-le-monde/

https://www.economie.gouv.fr/entreprises/reglement-general-sur-protection-des-donnees-rgpd