The French Data Protection Authority, in response to the companies’ increasing concern caused by the significant increment of the penalty’s amount established by the GDPR system, has been the very first to introduce a real grace period.

The above-mentioned transitory period will consist in the first months following the implementation of the new Regulation. During this period, the controls will be mainly directed at helping companies’ towards a good understanding and operational implementation of the new rights and obligations prescribed by the GDPR, rather than aimed at imposing sanctions.

However, the CNIL makes a distinction between the obligations of the professionals:

- Practices in violation of the fundamental principles of data protection - which have remained largely unchanged - will continue to be strictly controlled and immediately sanctioned.

The exemption indeed, as mentioned, concerns the new obligations and rights prescribed by the GDPR (right to portability, impact assessments, etc.), provided that the organization highlights an overall good faith, demonstrates that it has been implemented a GDPR compliance process and there is a desire for cooperation with the CNIL.

Italy did not undertake any initiative in this sense yet, but the French path - given the delay that characterizes the European scene, with the exception of Austria and Germany - could certainly be a farsighted example.

The press release is available in French at this link