Written by Raymond Faber and Elisabeth Guissart

Published on 21.05.2019 - Paperjam

On May 25, 2019, GDPR blows out its first candle. An opportunity to celebrate this? Nothing is less certain.

Here we are almost one year after the entry into force of GDPR.

What has really happened during this intensive year of compliance? Let's be clear: a lot of things that should have happened years ago (including the entry into force of the 2002 Data Protection Act (now repealed)).

So if we really wanted to celebrate something, it would be 17 years of national data protection legislation or 40 years of data protection in Europe.

But this would probably increase the bad conscience of those who still haven't decided to even start their compliance process. Are there really any? Well, it would seem so!

May 26, 2018 or the day after and the pressure starts to ease...

Oddly enough, recent figures show that while up until May 25, 2018 efforts were redoubling everywhere to get to at least a start on compliance by D-Day, interest in data protection seems to be in free fall since then. Without wanting to generalize these numbers, how can we try to explain them?

It is certainly not a lack of presence or visibility of the National Data Protection Commission (CNPD) that can explain such a drop in interest. Indeed, after actively advising companies in the months leading up to the entry into force of GDPR, it was not later than October 2018 that it began, on its own initiative, to launch the first audits, including on the role of the data protection officer ("DPO" or "DPD"), in 25 companies chosen on the basis of their activities, size, etc.

In the absence of sanctions to date in Luxembourg1, the problem seems to be more about understanding the benefits of compliance, while only 33% of companies believe that GDPR has improved their company's governance and 58% of companies continue to see GDPR as a constraint and not as an opportunity for their company, despite the numerous efforts to raise awareness.

Often, all the documentation is in place, but no one is applying it

Even for the most diligent, it is not enough to have drafted the various documents required by the GDPR (information notices, data protection policy, data access procedure, data breach procedure, etc.), if afterwards they are not communicated and explained in an intelligible way internally.

We know that employee awareness and training is key to the respect of personal data protection in a company. Those who do not train their employees run the risk of being reproached by the CNPD, because data protection must now become part of the corporate culture and each individual employee can be the cause of a data breach and must know how to react in such a situation.

The dizzying rise in the number of data breach reports

Finally, is the sheer number of data breach reports a sign that companies are taking the issue seriously? Yes and no. Because the problem today is that companies often notify anything and everything, without making a precise analysis of the need for the notification, leaving the CNPD to sort it out. If this increasing number of notifications is more the result of fear than of an intelligent analysis, then the answer is unfortunately negative.

As you can see, there is still a long way to go and everything is far from perfect in the GDPR world. Nevertheless, the efforts undertaken by many companies are real and will undoubtedly bear fruit in the medium and long term. The culture of data protection, unfortunately new for the vast majority of players, will not become part of the employees' minds and habits overnight. It takes time, but the key is not to stop along the way.

In that spirit, we won't let it spoil the party!

Happy Birthday GDPR!

1 The first GDPR penalty in Europe fell in Portugal in November 2018, fining a hospital EUR 400,000.

The image above is under license CC BY-ND 2.0