5 years after RGPD came into force

On January 2018, in an opinion piece in Variance magazine, CASD presented the major upcoming changes introduced by the European Regulation on the Protection of Personal Data (RGPD). Largely compatible with the French Data Protection Act, it nonetheless introduces significant changes, describing the following points in particular:

• The European scope of data protection obligations
• Increased accountability and safety obligations for all players, in return for simplified procedures (no more prior declarations or requests for authorization, except in certain sensitive areas such as health).
• The obligation, for the most sensitive processing operations, to carry out a Data Protection Impact Assessment (DPIA).
• Involving the subcontractor in the chain of responsibility

Since then, the provisions accompanying this regulation have been implemented everywhere (such as the introduction of Data Protection Officers (DPOs), processing registers, etc.).

5 years after it came into force, the RGPD is now a powerful data protection tool for the European Union (EU) and its member states, cited as a model internationally. The ethical principles laid down by this regulation (purposes, transparency, information, rights, security, minimization, consent…) apply everywhere to protect the use of European citizens’ data by private (platforms, social networks..) or public organizations. This protection has become essential as the use of such data continues to grow.

In France, the Commission Nationale de l’Informatique et des Libertés (CNIL) assists research projects and statistical studies in their compliance procedures. The CNIL also carries out its supervisory role in conjunction with other European supervisory authorities. As a result, sanctions are regularly imposed on organizations that fail to comply with the principles of the RGPD, and these sanctions are all the stronger for the fact that they are carried for all EU member countries and are widely reported in the press.