Written by Elisabeth Guissart and Mickaël Tome - Avocats à la Cour
Published on 03.07.2018 - Paperjam
The sky didn't fall on May 25, 2018. But the haste in which some organizations have sometimes begun their GDPR compliance or the regulatory uncertainty they face can cause pitfalls that should be avoided.
As expected, this May 25 did not come with a flurry of sanctions. It is true that the wait was not without generating anxiety, all sectors included. This anxiety has been materialized by the multiple (often clumsy) mass mailing initiatives that we have all witnessed (or been victims of?) as the fateful date approaches.
This phenomenon is the perfect illustration of one of the many traps into which organizations, anxious to comply within a limited timeframe, sometimes fall.
Faced with new challenges and in order to meet the new requirements imposed by the GDPR, organizations are sometimes driven to commit significant human, technical and financial resources in a certain climate of regulatory uncertainty.
While the bill (No. 7184) that is supposed to complement the GDPR at the national level is still under discussion, actors currently lack the adequate legal visibility to comply in a satisfactory manner. For example, the rules that will be applicable to the processing of sensitive data (health, genetics) or to surveillance in the workplace (video surveillance, badges, geolocation, IT, etc.) have still been subject to significant changes in the latest parliamentary developments. This situation creates great instability, which is harmful.
Of course, practical advice from the regulators has been announced. The fact remains that the current uncertainty can be a source of paralysis or, conversely, of overzealousness on the part of organizations.
The first attitude could be summarized as follows: "To the extent that nothing is happening right now, there is no point in rushing." While this attitude may seem understandable in part, given the aforementioned elements of uncertainty, it should not ignore the increased powers of control recognized by the GDPR to the CNPD, which intends to exercise them well, while retaining a pragmatic approach based on the size, nature of the organization, volume and sensitivity of the data processed.
However, overzealousness can sometimes have negative consequences.
As an illustration, a tendency - excessive in our opinion - sometimes observed since May 25 consists in qualifying as a "processor" within the meaning of the GDPR any external service provider whatever its field of intervention (lawyer, accountant, cleaning company, etc.) without questioning the acts of personal data processing actually delegated to the latter. This "cookie-cutter" approach leads to the creation of new contracts containing the clauses required by Article 28 of the GDPR. Such an approach is often inappropriate and unnecessarily burdens organizations. It is true that the analysis of the role of each person is often delicate and requires a certain experience.
Another pitfall often encountered is the confusion between information and consent. In practice, it is only in relatively limited situations that consent is required or can come into play fully. Many people think that consent gives the data controller security. In fact, the opposite is true. Asking for consent without needing it exposes the organization to an additional risk since the processing will have to be stopped in case of withdrawal of consent even if it is based on a legal or contractual obligation.
Another example is the idea of scheduling an interview with each individual exercising their right of access. While such an initiative may seem positive at first glance, the cumbersome nature of its implementation in practice may have the effect of an untenable "gas factory" in the long term. However, the GDPR is precisely there to last.
Admittedly, the subject matter is often technical and the implementation of the GDPR principles can be complex. However, an extensive interpretation of certain concepts may result in distorting the text and creating an additional risk of non-compliance.
Implementing a rigorous approach can of course be commendable. But in trying to do better, one often does worse. It is therefore essential not to rush and to be sensible.
The key to success lies in part in the creation of a register of processing operations, which performs a form of introspection into the practices of organizations, by questioning their relationship with personal data. It is on the basis of the register that a roadmap can then be determined, the role of each person, the information to be provided to data subjects and the residual risks of non-compliance.
In the end, let's not forget that the GDPR was not adopted to paralyze the economy, but rather to protect it from the risk of poorly managed or insecure data processing. Let's stay calm and use common sense.