GDPR compliance: how are companies positioned in 2022?
RGPD compliance is a legal issue for companies, subject to the risk of sanctions by the French National Commission for Information Technology and Civil Liberties (CNIL). It is also a priority to maintain a quality image in commercial relationships. Complying with the RGPD is also linked to the security of information systems, another major challenge for organizations. However, faced with the requirements of the General Data Protection Regulation, companies are still behind and some are failing to meet their obligations.
What is GDPR compliance?
GDPRcompliance refers to a process of continuous improvement, designed to ensure a sufficient level of data protection. One out of two companies estimates that they have an “advanced” level of compliance, but despite the risk of sanctions from the CNIL, many are still failing to meet their obligations. In order to understand where companies stand, it is important to know what this procedure involves and the legal deadlines imposed.
The plans for corporate GDPR compliance
The GDPR compliance of an organization requires the validation of plans that list 6 main steps:
- The appointment of a Data Protection Officer (DPO);
- The audit and mapping of personal data processing;
- The prioritization of each action to be implemented to comply with the GDPR;
- Anticipation and detection of data risk procedures;
- The optimization and reorganization of internal procedures to maximize security;
- The drafting of the necessary documentation to prove the company’s compliance.
The verification of these plans is entrusted to the DPO, who often has to work full time to meet the requirements and deadlines of the GDPR. Almost all companies have taken steps to validate their GDPR compliance plans. The number of data protection officers designated with the CNIL has largely increased from 21,000 in 2018 to 28,810 in 2021.
GDPR and compliance deadline, a driving force for companies
When the GDPR was published in 2018, the compliance period granted by the CNIL was a maximum of 3 years. Since 2021, all companies that process personal data must prove secure information management.
Other deadlines are imposed in the event of an inspection. For example, in the event of a failure to comply, the CNIL can send formal notices to the data controller. The targeted organization then has between 10 days and 6 months to respond and take measures, under penalty of a fine. These controls by the commission encourage compliance. According to the GDPR barometer of Data Legal Drive, almost one company out of two declares to be afraid of the CNIL checks.
What is the status of corporate compliance with GDPR?
To comply with the GDPR and meet the demands of the CNIL, companies have had to adapt their internal treatment processes, but also the sites and software they make available to users.
Websites are increasingly compliant with the GDPR
According to Data Legal Drive’s GDPR Barometer, 67% of companies have integrated CMPs (consent management platforms) to ensure their website’s GDPR compliance. This may still seem like a low number, but it’s far higher than in 2019, when only a third of applications were compliant. In fact, cookie management has become a priority topic for 58% of organizations.
More and more companies are also making cybersecurity a top priority. Among them, 60% have implemented concrete actions to strengthen the reliability of their sites and software and follow Article 32 of the GDPR. This text stipulates that the processor and the data controller must put in place the appropriate tools and organizational measures to protect each data.
50% of companies believe they have an advanced level of GDPR compliance
Still according to the GDPR barometer, 1 out of 2 companies considers that they have an “advanced” level of compliance. Among them, 43% consider that the project to implement the General Data Protection Regulation is part of an ongoing process that concerns all departments. In 2021, 60% of organizations have invested in data protection training for their employees.
However, there are two major obstacles to compliance for companies. The first is the use of Google Analytics, which was recently challenged by the CNIL. The second is the implementation of standard contractual clauses (SCC), model contracts for the transfer of personal data that govern the sending of information to third countries, particularly the United States. For Google Analytics, 40% of companies are moving towards alternative solutions. On the other hand, the STCs are in addition to the set of documents that data controllers must provide in the event of an audit.
How to comply with GDPR in 2022?
The GDPR compliance includes a step of drafting “evidence” to be provided in case of control. For the CNIL, this process also allows to take stock of the use of digital services and the impact on personal data. The documents can be grouped into 2 main categories: registers of processing activities and certificates of compliance.
The register of processing activities
The processing register is provided for in Article 30 of the GDPR. This document must allow the analysis of the management of information and identify:
- Stakeholders and all persons having access to the data;
- The nature of the information concerned (personal, sensitive, health-related, etc.);
- The purpose of the processing;
- The different processes and security rules;
- The duration of the data’s life or retention.
The processing register must be accompanied by documents on the information of individuals, including the procedures in place for the exercise of rights of access, rectification and deletion of data. These documents are mandatory for all organizations that process personal information. However, some companies still fail to meet this obligation. In 2021, the CNIL imposed multiple financial sanctions on companies whose practices were not adapted (the amount of fines reached 3.5 million euros).
GDPR compliance certificate models
The CNIL provides several templates to inform the public or employees of the conditions of data processing. These attestations include:
- Examples of forms for collecting personal information;
- Templates of communiqués, for example, for the implementation of a video surveillance system;
- Templates for legal notices;
- The new CTT contractual clauses.
These new CTTs take up the basis of people’s right to their data by taking into account situations of information transfers to managers and processors outside the European Union. They have been in force since September 2021, yet 48% of companies have not yet implemented the contractual clauses due to lack of knowledge and especially time.
Faced with the rise of cybercrime, it is nevertheless the time limit that remains a major issue of the RGPD 2022. Authorities are increasing their vigilance to preserve the privacy of Internet users. Even if organizations are more and more committed to GDPR compliance, these new threats and the risks of controls reinforce the stakes around data protection.