The French Data Protection authority ("CNIL") has published its guidelines on practical enforcement of the General Data Protection Regulation ("GDPR") and outlined a short period of enforcement flexibility.
The CNIL has stated that for the first few months following application of the GDPR (on 25 May), from an enforcement viewpoint, it will make a distinction between long standing fundamental principles of data protection and novel GDPR concepts. While fundamental principles such as fair and lawful processing, data security and integrity, data accuracy and data retention, which have long been in force will be strictly enforced to ensure they are complied with, new GDPR obligations, such as data portability and data protection impact assessments ("DPIAs") will be enforced in a more lenient manner.
When enforcing these new obligations, the focus of the CNIL will be on providing organisations with a good understanding of the operational implementation of these concepts. If a controller or processor acts in good faith, engages in the compliance process and cooperates, the CNIL has outlined that it is unlikely it will bring any sanctions against them during the early months of implementation.
For example, in relation to DPIAs the CNIL has placed an initial emphasis on educating controllers in how to conduct DPIAs rather than sanctioning them immediately. The CNIL is of the view that this pragmatic, educational approach will lead to greater GDPR compliance in the medium term.
It will be interesting to see whether this period of limited leniency and flexibility offered by the CNIL is followed by other data protection supervisors throughout the European Union such as the Irish Data Protection Commission ("DPC"). Notably, the DPC has not issued similar guidance to date but has emphasised transparency as a focus for early engagement on GDPR.