Tine Larsen (National Data Protection Commission): A New Deal for Data
Tine Larsen, Chair of the French National Data Protection Commission (CNPD), explains the impact of the General Data Protection Regulation on businesses.
How will the new legal framework change the data protection landscape?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, replacing the 1995 Directive and the 2002 Luxembourg law. This single data protection regime in Europe will give citizens more control over their personal data while making businesses more accountable and reducing their reporting obligations. At the same time, however, the role of data protection authorities such as the CNPD will be strengthened. The philosophy behind the RGPD is one of "accountability", i.e., making those who process personal data accountable. As a result, the CNPD will move from an a priori to an a posteriori control system. The Commission will be able to concentrate more on its awareness-raising and advisory missions.
"The heavy penalties incurred by companies that seriously breach the new rules symbolize the importance of data protection in the 21st century.
What advice do you have for professionals on how to prepare for the change in the legal framework?
At any time from 25 May, a company will have to be able to demonstrate the effectiveness of the internal technical and organizational measures it implements to comply with the obligations introduced by the Regulation.
The CNPD suggests seven steps for the companies concerned. First, find out about the forthcoming changes. Two, make an inventory of all personal data processing operations. Three, check whether it is compulsory to appoint a data protection officer. Four, based on the data processing register, identify what actions are required to comply with future obligations. Five, carry out a data protection impact assessment (DPIA) for processing operations likely to generate high risks for citizens. Six, put in place internal procedures that guarantee data protection at all times. Seven,document the processing of personal data. Failure to comply with the new rules could result in the CNPD ordering a company to erase or destroy the data in its possession, or even temporarily or permanently prohibit it from processing any data at all! In the most serious cases, the authorities could impose fines of up to €20 million or 4% of the company's annual worldwide turnover. However, the CNPD will use its powers proportionately and judiciously.
And what about commercial e-mails?
The current regime will remain applicable until the final adoption of a specific new regulation. In particular, the use of an e-mail address allocated to a natural person for canvassing purposes will only continue to be possible with the prior consent of the individual concerned, unless the company holds these electronic details as part of a sale of a product or service. Failure to comply with these provisions may still result in criminal penalties. The Luxembourg Consumer Code also prohibits e-mail canvassing or unsolicited telephone calls, which are considered to be "aggressive commercial practices." However, when a product or service is sold, the subscriber can always object to any further canvassing. Companies are required to include a reminder of this option in each message. However, these provisions do not apply to electronic communications between professionals, known as B2B. The law protects personal addresses such as nom.prénom@société.lu, but not addresses such as info@société.lu or contact@société.lu.