A few months after the introduction of GDPR, it is time to draw up a report of the first French experiences.
Obviously the French data protection authority, the CNIL, is trying to design a uniform case law and make implementation of GDPR easier for companies.
The CNIL gave notice of the major topics on which it intends to concentrate in the near future, i.e. processing in relation to recruitment, supporting documents required by estate agencies and processing in relation to paid parking services using connected devices.
In the meantime, the CNIL issued some guidelines on various aspects to help entities in the compliance process such as identifying data controller or data processor, practical security guidelines, certification of DPO, GDPR and blockchain, etc.
The latest guidelines issued focus on privacy impact assessment (PIA). The CNIL established a list, validated by the European Data Protection Board, of processing for which PIA shall be performed and guidelines to help entities define whether they should perform such assessments. A list of processing for which no PIA is required is to be issued shortly.
Other tools will be launched as regards clients and prospects, human resources and health vigilance.
Important to note: public consultation plays also a major role in the French implementation of GDPR. Various public consultations have been launched by the CNIL. The last one deals with biometric data at the work place.
For those who are not yet compliant, it’s time to hurry!