GDPR – What are the obligations and consequences for business?

By 25 May 2018, European data protection regulations will have imposed new constraints on businesses regarding the processing of personal data. Companies that do not comply with the GDPR will be liable to a financial penalty of up to 4% of annual global turnover or 20 million euros. Europe’s goal is to provide a strengthened and harmonised data protection framework that takes into account recent technological developments (big data, connected objects, artificial intelligence) and the challenges that accompany these developments.



Who is concerned?


Any legal entity, public or private, that collects, stores and/or uses the personal data of citizens of the European Union when this legal entity:
> Is located in the European Union or outside the European Union,
> Handles the processing of this personal data:
– Itself or by subcontracting,
– For its own account or on behalf of third parties.



Who are the personal data processing players in the company?

GDPR - What are the obligations and consequences for business?

Who is responsible in the event of non-compliance?


Data leakage or non-compliance with the GDPR can have multiple impacts for service providers, partners and customers, but especially for the company itself in terms of image and reputation. In case of non-compliance with the law on personal data, the legitimate manager is the corporate officer of the company.



What new rights and obligations are we talking about?


To be in compliance with the GDPR, companies will have to submit several documents on:


Contracts that define the roles and responsibilities of stakeholders
> Contracts with subcontractors
> Internal procedures in the event of data breaches
> Evidence that persons concerned have consented when the processing of their data is on this basis.
Processing of personal data
> The processing register (for processing managers) or the processing activity categories (for subcontractors)
> Privacy Impact Assessments (PIAs: see attached data sheet) for processing likely to create increased risks to the rights and freedoms of individuals
> Supervision of data transfers outside the European Union (in particular, standard contractual clauses, BCRs and certifications).


Information of persons
> Information notes
> Models of obtaining the consent of persons concerned
> Procedures put in place for the exercise of rights.



What penalties do companies face for non-compliance?


The administrative sanctions are various: warning, formal notice to the business, temporary or indefinite limitation of processing, suspension of data flows, order to satisfy the requests for the exercise of rights of persons, order to rectify, limit or erase data. For new compliance tools that can be used by companies, the authority may withdraw the issued certification or order the certification body to withdraw the certification.

> Failure to comply with the right to a “digital will”: €3M
> Failure to comply with the essential principles and obligations of the GDPR: €10M or 2% of turnover
> Failure to comply with the principles of the rights of persons: €20M or 4% of turnover.





In general, the CNIL’s monitoring powers remain unchanged. The main change lies in the fact that the monitoring carried out on international players will take place in a context of very strong cooperation which will lead to a harmonised decision with European scope.


The CNIL will distinguish two types of obligations imposed on professionals:
> The fundamental principles of data protection remain essentially unchanged (fair processing, relevance of data, retention period, data security, etc.). They will therefore continue to be subject to rigorous checks by the CNIL.

> As for the new obligations or rights resulting from the GDPR (right to portability, impact assessments, etc.), checks will be mainly intended, as a first step, to support the organisations towards good understanding and operational implementation of the texts. In the presence of organisations in good faith, engaged in a compliance process and showing cooperation with the CNIL, these checks will normally not aim to lead, in the first months, to sanction procedures on these points.

GDPR - What are the obligations and consequences for business?