GDPR: 1 year on and some big steps forward


Interview of Tina A. Larsen, President of the CNPD

The General Data Protection Regulation (GDPR) is celebrating its first anniversary on May 25, 2019. This regulation has been written about extensively, sometimes to extremes. But beyond the legal and technical aspects, it constitutes a political affirmation of Europe as an actor in the digital economy.

This anniversary is an opportunity for us to make an initial assessment, with Tine A. Larsen, President of the CNPD (National Commission for Data Protection).

First some figures to set the scene: in 2018, 172 data breach notifications were received by the CNPD. Almost 1 notification per day since the RGPD came into effect on May 25th.

how can we appraise such an important number?

“Fortunately, all notifications do not correspond to large-scale events, they are sometimes small things like an email sent to the wrong person. This could be customer data sent to the wrong person or a multitude of recipients in CC and not in BCC, … It is always serious for the people concerned, but this is very limited.

what are some of the causes of leaked data?

“We found that 60% of the problems are due to handling errors or a lack of knowledge about security procedures. Attacks account for only 27% of breaches, and the majority of these attacks use human flaws to achieve their ends … So technical weaknesses are less common in data leaks, however their impact is greater.”

so, the human factor is the weakest link?

“This can be clearly seen, and irrespective of the intended audience’s level of education… For example, an institution of higher education was the victim of a phishing campaign that asked employees for their passwords and username to qualify for a salary increase … and several people responded! This demonstrates the need to continually raise awareness and educate people about good practices, regardless of their level of training.”

some companies use “phishing” campaigns to test their employees. This method is not always appreciated … What do you think of this practice?

“This is part of the awareness and control work performed in some institutions. But I would say that we must first do a good job upstream: first train people to prevent them from falling into this kind of trap and then use this technique to test them.”

what are the “at risk” sectors in terms of personal data?

“I would say that there are two types: there are sectors that process a lot of data, such as banks or telecom operators. And then there are those who deal with sensitive data, such as the health or legal sectors. These sectors are particularly exposed, especially if they hold a lot of information about each ‘customer’. But fortunately, we also see that these sectors are the most aware. They already had procedures in place to prevent data leaks or to respond to leaks. They are also the ones who systematically notify us about the slightest incident, even if they are not obliged to… But we prefer too many notifications than too few.”

but not everyone is at this level of maturity yet?

“No, of course. Some prefer an ostrich policy. It is understandable that very small craft or commercial enterprises may feel a little lost in the face of new obligations. That’s why we published explanatory brochures and organized events to bring us closer to each industry. We want to give them information adapted to their context. During these information sessions, we emphasized the role of the data controller and their new responsibilities. In this regard, it should also be noted that this task has been lightened by the GDPR, because there are no more formalities prior to data processing. This means that we no longer need to wait for authorization from the CNPD before embarking on data processing, provided, of course, that all the obligations arising from the GDPR are respected.”

at first, there was a little panic … How do you explain that?

“That’s true, it’s most likely related to the development of a whole sector of “GDPR consultants” who have discovered this new opportunity and have developed their services. They have sometimes scared people by invoking the enormous financial penalties they might incur if they do not comply … We, whenever we intervene, reassure the controllers, especially with regard to sanctions … Because each case is treated individually, and we insisted on proportionality and taking into account any mitigating circumstances… The sky will not fall on the heads of the leaders over the slightest of incidents. If there is a need to sanction, we have a range of actions such as reprimands or prohibitions that we can use before moving on to financial penalties. Secondly, the fact that actors cooperate honestly and transparently with us in dealing with an incident is something we take into consideration.”

the impact on a reputation, is this not the best sanction?

“Yes, absolutely, that is the one to avoid at all costs … because it can be much crueler than all of the sanctions we could declaire. Most importantly, GDPR should be viewed as an opportunity rather than a threat. This is an opportunity to make an inventory of the data that are processed and to do a ‘spring cleaning’ at the level of the conservation of certain data, and also at the level of the processes in place.”

is the GDPR becoming a reference at the international level?

“There are clearly indicators that point in that direction. If we remember the situation 2 or 3 years ago, the GDPR project was heavily criticized, especially in the United States. But since the revelations made by Marc Zuckerberg, the wind has completely turned. California has passed a law that draws heavily on the GDPR and other states are thinking about it. Japan has also adopted legislation that draws heavily from the GDPR, and the European Union has just made a decision on adequacy for data transfers to Japan under this new legislation. South Korea is also moving in this direction, Africa is very interested. The GDPR is shining globally.”

the future looks bright for the GDPR. How do you see the 2nd year?

“In September, we launched a 1st audit for the DPOs (Data protection officer), and we will publish good and bad practices, hoping that this will help SMEs that are not yet fully up to standards.”

“We also organize some Data Protection Labs that bring together data processors to exchange ideas for increasing efficiency.”

“We are finally working on a certification project. We have determined the certification criteria and are in the process of defining the accreditation criteria for certifying organizations. In short, we are not running out of projects for the next few months, especially those which help companies make progress in data protection.”

The GDPR is only a year old, but the road traveled has already been considerable. Can it be that we are beginning to understand that it is not another constraint among many, but a tremendous opportunity?