What has changed with the GDPR?
The GDPR celebrated its 3 years anniversary. Companies have had to make numerous efforts to comply before it even came into effect. Here's a look back on what GDPR has brought to the table !
Image illustrating the article What has changed with the GDPR?

This article is the first of a serie of 3 centered around the GDPR.
If you are curious about :

What is the GDPR?
How to be compliant with the GDPR?

The first ambition of the GDPR was to reinforce the rights of individuals by making the actors processing the data concerning these individuals more responsible. To do so, a regulation must be credible and efficient. This is why the cooperation between the competent authorities in the field of personal data protection has been strengthened. The GDPR has therefore changed several things for both companies and individuals. Here is a brief overview.

Who is affected by the GDPR?

The RGPD has extended its scope, not only geographically but also materially. Indeed, it does not only apply to data controllers and processors established on the territory of the European Union, but also in a broader way *as soon as a European resident is directly concerned by a data processing.*Moreover, both controllers and processors are covered by the obligations set out in the text. This is in contrast to the original data protection law, which only provided obligations for data controllers.

Making actors more accountable

Under the 1978 Data Protection Act, amended in 2004 to incorporate the provisions of the 1995 Directive, companies were required to make a prior declaration to the CNIL or even request prior authorization in the case of more sensitive processing of personal data. A data processing and liberties correspondent (CIL) could assist them to ensure that the company was in compliance with the law. The GDPR has reversed this system.
*Companies are now presumed to comply with the GDPR, and in case of control by the CNIL, they will be sanctioned if they do not. It is up to them to prove that they respect the good practices of the CNIL.*The CILs have disappeared and have been replaced by DPOs, Data Privacy Officers in charge of the company's compliance with the RGPD. Their presence is only mandatory in certain cases. Nevertheless, companies must take measures to be in compliance.

Reinforced sanctions

Accountability means sanctions. The ceiling of these sanctions had already been increased from 150,000€ in 2016, then 3 million with the Law for the Digital Republic. The RGPD has thought things on a grand scale.
The CNIL is now competent to punish companies and give sanctions of up to €20 million or 4% of the company's turnover.

Beyond these sanctions, users have the possibility to start group actions against companies in order to claim compensation for damages due to non-compliant processing of their data.

A new right : the right to portability

A new feature of the GDPR is the right to portability, which completes the list of rights already established. It allows users to ask companies to recover their data in an interoperable format in order to keep them, or to transmit them to another company. The goal is to rebalance the competition between players such as GAFA and smaller European companies and to give user more control over their data. The GDPR therefore provides a focus on users, by making data controllers and processors more responsible. Hence, they must ensure that they implement measures to comply with this regulation, at the risk of suffering penalties that can be very severe.

The GDPR has brought many changes to the relationship between companies and individuals. It is often considered as a real constraint by companies, however, it may also be seen as an opportunity for some to use compliance as a marketing argument. It is an effective way to gain internet users' trust. In order to make the process easier, the knowledge related to this topic and the rules must be put into action. Here is a general article on How to be compliant with the GDPR ?.

Stéphanie Exposito-Rosso

Tue Oct 26 2021