With the EU General Data Protection Regulation coming into full force and effect on May 25, 2108, the French data protection authority has announced its plans for enforcement activity once that date arrives. Even though the adopted text of the GDPR was released nearly three years ago, in principle giving companies ample time to come into compliance, the CNIL has recognized the reality that many companies are still struggling to understand and execute the many new measures that will be required. Demonstrating flexibility, the CNIL says that it will distinguish between two types of obligations: the fundamental principles of data protection found in the current Data Protection Directive, and the new obligations or rights found in the GDPR, such as the right to data portability and privacy impact assessments.
According to the CNIL, it will continue to “vigorously enforce” the fundamental principles, while focusing on helping companies understand and implement the new rights and obligations. Where companies are making “good faith” efforts to comply with the new rights and obligations, the CNIL states that sanction procedures will normally not be instituted “in the first months.” The very concept of a “transitional period” during which the potential for significant sanctions will be held in abeyance, while vaguely defined, is both pragmatic and generous. The February 19 guidance also waives the need for the immediate completion of a privacy impact assessment by companies whose processing was previously approved by the CNIL and addresses issues faced by companies awaiting CNIL response to their registrations.