A taster of the GDPR

Although the GDPR may have dominated our thoughts for several months now, is anyone really ready?

On 8 January 2018, the CNIL (French National Commission of Informatics and Freedom) used its sanctioning power to impose a fine of €100,000 on a major retail chain for having failed to fulfil its obligation to “implement the appropriate means to ensure the security of personal data processed within the context of customer after-sales service requests”. This case originated from a security breach in an online customer form (a form created by one of the brand’s sub-contractors) which gave access to personal data.

Based on applicable legislation (Article 34 of the law of 6 January 1978), the CNIL considered that the fact that the development in question had been undertaken by a service provider did not relieve the company – in its capacity of data controller – of its obligation to ensure the security of the data processed on its behalf.

As such, as opposed to being a revolution, the GDPR is first and foremost an extension of an existing instrument which makes the data controller responsible for protecting personal data. The major changes relate, on the one hand, to the obligations of the data controller and, on the other, to the amounts of the sanctions, which have been significantly increased.

This case also confirms that the sanctions provided for by the French Digital Republic Act of 7 October 2016 are being enforced. The implementation of the GDPR will, however, increase the penalty for failing companies, since the maximum fine will be the higher of the following two amounts: €20 million or 4% of the global turnover of the previous financial year.

The obligation placed on the data controller to vouch for their subcontractors will no doubt generate a multitude of appeals. This subject, which also necessitates securing the customer/supplier contract chain, and the increase in cyber attacks, will increase IT risks for businesses. The public liability components of insurance policies await the fateful date of 25 May 2018 when they will face their baptism of fire.