GDPR Compliance: 2021 review and 2022 challenges

The year 2021 was marked by several key developments regarding compliance with the General Data Protection Regulation (GDPR). Here’s a review of 4 notable events to assess their impact and identify the challenges organizations will face in 2022.

International Data Protection: Ongoing Vigilance Required

On the international front, 2021 was notably influenced by Brexit and its implications for data protection. While a regulatory adequacy agreement between the EU and the UK has been adopted, it remains under the EU’s scrutiny, especially given the UK's shifting strategic alliances and its recent efforts to restructure its own data protection regulations.

Beyond Europe, personal data protection is taking shape in several countries. China implemented its version of GDPR, the Personal Information Protection Law (PIPL). However, this law does not resolve the issue of data transfers from China, as there is no agreement between the GDPR and Chinese regulations. In contrast, South Korea’s data protection regulations were deemed to align with the GDPR.

Given these changes, ongoing monitoring of international data protection rules is crucial for all organizations with a global reach. This vigilance is especially relevant to organizations outside of Europe, such as software vendors, who may be handling cross-border data.

To avoid non-compliance with data transfers outside the EU, it is important to note that the EU published new standard contractual clauses in 2021. These clauses provide legal protection for European organizations, particularly SMEs, while still allowing data transfers beyond EU borders.

Digital Trust: Strengthening Cookie Management

March 31, 2021, marked the end of the CNIL's grace period for compliance with new cookie management requirements. In brief, these requirements mandate organizations using third-party cookies to implement dedicated tools to manage them in accordance with regulations. The significant change is that third-party cookies must now be clearly identifiable, and refusing them must be as easy as accepting them. In other words, directing users to browser settings to block cookies is no longer considered a compliant solution. A dedicated cookie management tool is now essential.

The CNIL has shown its determination to enforce this new regulation with several audits and sanctions. A simple online search reveals that many organizations still have work to do to meet this requirement.

In addition to these updates, new measures regarding cookies, and more broadly the operation of digital platforms, are being discussed or are waiting for implementation at both the European and French levels, concerning both security and consumer rights protection. For example, the establishment of a “CyberScore” was voted on in the French Assembly at the end of 2021. This issue will remain a key focus in 2022.

Three Years and Ongoing Audits!

On May 25, 2021, the GDPR celebrated its third anniversary. On this occasion, several assessments were conducted to evaluate the level of compliance among organizations regarding personal data protection. In France, while surveys show an increasing maturity in compliance, it remains evident that many organizations are still far from fully compliant.

This is concerning, especially considering the audits and sanctions imposed by the CNIL in 2021, which clearly indicate that the CNIL’s enforcement actions target not only the GAFA (Google, Apple, Facebook, Amazon) or large corporations but also public and private organizations of all sizes and sectors. For instance, on September 15, 2021, the CNIL fined a micro-enterprise led by its president €3,000.

Thus, many SMEs/ETIs that have not yet addressed GDPR compliance need to make it a priority in their roadmaps to avoid financial penalties and reputational damage, as the CNIL often makes these sanctions public.

Cyberattacks: Securing Information and Personal Data

Security remains a major risk, with significant implications for personal data compliance. The security of information is inseparable from personal data protection. Data breaches have continued to rise, as evidenced by figures from the National Cybersecurity Agency (ANSSI) and the CNIL. The CNIL predicted a doubling of data breaches in September 2021.

As a result, implementing information security measures has become a crucial priority for organizations. While sectors such as healthcare and the public sector are particularly affected, all organizations must consider this issue due to the compliance, reputational, and financial risks associated with such threats.

On all these fronts, RSM's specialized teams in governance, legal techniques, and IT security are available to support you. For several years, RSM has been assisting businesses with the implementation or assessment of GDPR compliance measures, supporting Data Protection Officers (DPOs), providing outsourced compliance management, conducting security audits, and helping optimize security systems.

The evolving landscape of data protection calls for continuous vigilance and adaptation to both new regulatory challenges and security threats in 2022.