French Data Protection Authority Provides Guidance on Preparing for GDPR

March 28, 2017

Companies have one year to comply with the new EU regulation on data privacy, and it is estimated that only 10% of companies having operations in France are currently ready.

The General Data Protection Regulation (GDPR), a new European regulation that seeks to extend the reach of EU data protection law, will take effect on May 25, 2018.

Under the GDPR, accountability and transparency become the key principles underpinning the European data protection framework. Compliance with the GDPR will be assessed on the basis of an organization’s (i) awareness towards data protection when designing new products and services and (ii) ability to implement internal procedures and tools to guarantee the effective protection of personal data.

Indeed, while the former system was based on formalities and authorizations, the GDPR replaces them with important accountability obligations on data controllers, mainly by requiring covered organizations to

  • perform mappings of personal data treatment processes,
  • self-assess practices and implement procedures to manage data-related complaints,
  • identify and prevent risks related to data-treatment operations, and
  • maintain updated documentation about compliance measures implemented.

In practice, compliance with the new EU regulation will be based on tools such as Privacy Impact Assessments (PIAs) and records of data processing activities.

The French data protection authority (CNIL) has issued a six-step guide to anticipate this change in the legal framework:

  1. Appoint a Data Protection Officer—The data protection officer is the individual who will oversee internal changes related to a company’s data protection management. The data protection officer will advise employees and contractors using collected personal data. He or she will also ensure compliance with national and EU data protection laws and will act as a point of contact for regulatory authorities.
  2. Map Your Personal Data Treatment Processes—In order to assess the new regulation’s impact on their data processing activities, organizations should start listing their various data processing systems, categories of data processed, objectives of processing operations, internal and external actors having access to the data (bear in mind to list subcontractors in order to timely update non-disclosure agreements), and sources and destinations of the data (especially to avoid illegal data transfers outside of the European Union).
  3. Prioritize Actions—After having established a written record of processing activities, organizations should identify actions to be taken to comply with the GDPR. Whatever data treatment is concerned, organizations should (i) ensure that only necessary data are gathered (data minimization), (ii) identify the legal basis on which personal data are processed (such as contract, consent, or others), (iii) make sure that information provided in privacy notices and policies are clear and in plain language, (iv) ensure that subcontractors are aware of their new duties and liabilities, and (v) update non-disclosure, privacy, and data protection agreements.

    If an organization is processing data related to minors; ethnic or racial backgrounds; religious, personal, or philosophical beliefs; health; sexual orientation; criminal records; or genetic information, or if the organization’s data treatment process aims at large-scale surveillance or data transfer outside the European Union, particular provisions will apply, and therefore a specific legal analysis will have to be performed.
  4. Mitigate Risk—If organizations identify risky personal data processing that may constitute a threat to privacy, they will have to perform a PIA. This assessment aims at building privacy-compliant processes/products, assessing the impact on individuals’ privacy, and demonstrating how fundamental principles of the GDPR are complied with.

    PIAs should be performed prior to any data collection/processing, especially in the case of processing that has been deemed to be risky. The PIA will include a detailed description of the data processing and its objectives, an assessment of the necessity and proportionality of the processing, an evaluation of the risks on individual rights and privacy, and solutions to overcome such risks to ensure compliance with the law.
  5. Implement Internal Procedures—In order to guarantee a high level of personal data protection, organizations will be required to implement internal procedures that take into account the wide range of issues that can arise during data treatment processing (e.g., security breaches, user complaints, subcontractor changes). Implementing internal procedures involves considering data protection at the early design stage of an application/process, overseeing internal awareness towards data protection through staff training, addressing users’ data-related complaints, and anticipating any required data breach notifications to the applicable data protection authority within 72 hours of awareness.
  6. Document Compliance—To show compliance with the new regulation, organizations will have to keep an updated log of all actions/documents implemented to ensure continuous data protection. Documentation should include elements related to internal processing of personal data (written records of processing activities, PIAs, and compliance with cross-border data transfer provisions), users’ awareness (privacy notes, consent, and complaint collection mechanisms), and other stakeholder awareness measures (contracts with subcontractors, data breach notification processes).


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Sabine Smith-Vidal
Charles Dauthier