Three good reasons to quickly comply with GDPR
- A particularly broad scope
The GDPR (General Data Protection Regulation) aims to harmonize the protection of personal data in all European Union Member States. It therefore has a very broad scope: it will be in effect whenever a European resident is concerned by data protection. This does not apply; however, for an individual within the framework of a strictly personal or domestic activity.
In addition, the obligations of the GDPR are imposed not only on data controllers, but also on their subcontractors.
It is therefore urgent that these players comply with this new regulation that will come into effect on May 25, 2018, as the sanctions are very severe.
- Highly deterrent sanctions
Before GDPR, sanctions already existed to encourage firms to secure the processing of their users’ data. Since it represented such a low threat, in practice, many were not really concerned about the conformity of their procedures. For example, in 2014, in France the Commission Nationale de l’Informatique et des Libertés (CNIL), the independent French administrative regulatory body whose mission is to enforce data privacy law, fined Google for €150,000 which was the maximum penalty it could impose but which only represented … 0.0004% of its sales revenue!
The GDPR intends to break with this tradition of impunity.
- First, the financial sanctions are reinforced: from now on, data controllers who fail to comply with the obligations of the regulation will face a first fine of up to 10 million euros or equivalent to 2% of their global annual sales revenue, and a second may be imposed corresponding to twice the amount of the original fine if other serious violations are committed.
- Second, a person who suffers a prejudice due to lack of GDPR compliance will have a real right to compensation.
- Finally, sanctions of a different nature should encourage data controllers to comply with GDPR: damage to the reputation of a firm whose data processing is not secure, and their consequent loss of competitiveness.
The decisions issued by the CNIL are published on its website and accessible to all.
- Heightened competition
- Our European neighbors are ahead
As mentioned, GDPR is intended to apply whenever a European national is targeted by a firm that handles data protection. In some countries such as Germany, the legal text has been set in motion much earlier than in France. Many companies saw the value in complying with the text and have already invested significant resources. These companies are in direct competition with French companies and thus French firms will have to raise their standards if they want to remain competitive.
The GDPR also intends to enable everyone to regain control of their data: this is what is known as informational self-determination. It is in this perspective that the right to data portability has been created. This allows people to retrieve their data from firm A to transfer it to firm B. This new right encourages competition between data controllers by inviting people concerned about their data protection to choose by whom they prefer their data to be managed.
ALATIS is ready to assist you in your compliance with the GDPR. Contact us at: email@example.com
Anne DESMOUSSEAUX, Founding Partner, Lawyer, European Trademark & Design Representative
This post is also available in: French