GDPR: purpose and objectives

How did the GDPR come about? What are its objectives? And what is at stake?

The GDPR is a legal text that can be difficult to understand if you are not familiar with the legal language or terms used.

In this blog post, we propose to examine the history and the context that led to the creation of this regulation.

First article of Chapter 1 of the GDPR: "Purpose and objectives".

The historical context of personal data protection

Since the middle of the 20th century, the amount of data generated has continued to increase. This growth is largely due to the digitalisation of all spheres of society. Today, progress has tipped society into a digital age, particularly with the large-scale dematerialisation of professional, personal and administrative activities, and the appearance of social networks. French law on the protection of personal data has been developed in response to the potential and real dangers of these new technologies.

The beginnings of personal data protection

The first concerns about personal data appeared in 1973. The French government decided to implement the SAFARI project (i.e. 'Système Automatisé pour les Fichiers Administratifs et le Répertoire des Individus' for 'Automated System for Administrative Files and the Individuals Register'), a project for the interconnection of administrative files allowing the identification of each individual through his or her social security number in a centralised database. The aim is to facilitate the circulation of information between the various public authorities.

On 21st March 1974, this SAFARI project was unveiled by the magazine Le Monde under the name "Safari" or the hunt for the French" by Philippe Boucher. The news created a controversy and due to the general indignation, the project was definitively abandoned. The Prime Minister of the time created a commission called "Informatique et libertés". The latter was tasked with publishing a report on the need and means of regulating the processing of data relating to individuals, while demonstrating the dangers and risks associated with certain uses of information technology (1).

On 6th January 1978, the law known as "Informatique et Libertés" (2) came into force and what emerges from it is that information technology must not infringe on human rights, whether it be private life, individual freedoms or public freedoms. Information technology must be at the service of the human being and therefore must not undermine human identity. The rules laid down aim to protect data relating to individuals. As a result of this law, the first administrative authority was created in France under the name of Commission nationale de l'informatique et des libertés (CNIL). It is a supervisory authority independent of the public authorities and is responsible for issuing an opinion on all data processing projects emanating from the public sector and for ensuring compliance with the legal provisions protecting individuals (3).

The primary concerns at European level

At the European Union (EU) level, as the digital age raises concerns about personal data, the legal context must adapt for EU Member States. On 24th October 1998, the European Parliament and the Council of the European Union adopted the European Directive 95/46/EC. This directive takes up the key concepts and principles contained in the French law of 1978, and aims to create a common basis for all EU countries in terms of personal data protection. Member States are obliged to adopt specific legislation on this subject and to set up a supervisory authority.

In 2004, the law known as "Informatique et Libertés" (Data Protection Act) underwent a thorough overhaul under the impetus of technological advances and associated digital uses, but also of the 1995 European directive. The terms were changed: we no longer speak of nominative data, but of personal data, the protection of the law was extended to paper files, and the private sector was subject to a system of prior authorisation for certain data processing. The power of the CNIL is strengthened by a power of sanction and it is given the function of correspondent.

The emergence of the General Data Protection Regulation

On 7th October 2016, the law for a digital republic enriched the law on information technology and freedom. This law reinforces the rights of individuals, each one has the right to decide and control the uses made of their personal data.

In this context, on 14th April 2016, the EU adopted the GDPR, whose acronym stands for "General Data Protection Regulation", and it was published in the Official Journal on 27th April. It is a long regulation with 173 recitals and 99 articles. This text is an evolution and not a revolution of the legislation, it is in line with the continuity of the French legislation. However, its application will take place two years later, so that the national legislations of the Member States and the entities collecting and processing personal data can prepare for it.

On 25th May 2018, the GDPR enters into force in each of the EU countries and for all actors carrying out processing of personal data relating to natural persons on its territory. France, like the other EU Member States, retains its own complementary legislation and transposes its directive into domestic law.

Issues associated with the GDPR

Outside of internet browsing, the use of personal data can be disproportionate and lead to particularly intrusive profiling of individuals. For example, the continuous use of video surveillance can lead to self-censorship reflexes by the persons concerned.

In the digital age, personal data has become a pillar of commercial activity. For users, the collection of data has advantages such as better personalisation of the commercial offers sent to them or better comfort during their web browsing, but this collection is not without risk. The multiplication of digital traces generates risks such as spam emails, non-respect of privacy or worse, identity theft.

The GDPR is based on different axes such as the reinforcement of people's rights, the accountability of all data processing actors and the reinforcement of the CNIL's sanctioning powers. Compliance with the GDPR also has many challenges.

The legal issue

The GDPR, as explained in the previous paragraph, is compulsory; to comply is to respect the law in order to avoid a potential sanction. The CNIL, before imposing a financial penalty, may issue a reminder, request that a data processing operation be brought into compliance or that a processing operation be limited, or order that the company respond to requests to exercise the rights of individuals. As a result of an inspection or complaint, a breach of the provisions of the GDPR by the controller or processor may lead to sanctions. These amount to 20 million euros or in the case of a company up to 4% of its annual worldwide turnover, and the financial penalties may be made public.

The ethical issue

It is important to show the importance you place on personal data. A lot of information is left behind as soon as you surf the internet, and before the GDPR, few people were aware of how much personal data was left behind or even what was done with it, for example, it could be sold, or traded without being aware of it. Amongst this data, some could even be sensitive and spread on the web, the GDPR came to answer this problem, now we know who has the right to know what about whom, it is important to realise that complying with the GDPR is a way to work in a more ethical world.

The commercial issue

Subcontractors and service providers are under increasing scrutiny to ensure that their internal policies comply with the GDPR. A data controller is also responsible for the processing that is carried out by their subcontractors, non-compliance on their part can lead to sanctions as seen above. Service providers or subcontractors who do not comply with the GDPR may find themselves excluded from tenders, for example. Being GDPR compliant allows you to differentiate yourself from the competition and to build a better image of your brand and your business.

Being GDPR compliant is a competitive advantage over other companies, it also generates trust towards its employees, subcontractors and customers. Trust in a company limits the risk of litigation.

Sources:

(1) https://sites.ina.fr/cnil/focus/chapitre/2/medias

(2) www.legifrance.gouv.fr

(3) https://www.cnil.fr/fr/cnil-direct/question/la-cnil-cest-quoi

(4) www.colibri-dpo.com

  🎬 Watch the video version on our YouTube channel!

https://www.youtube.com/watch?v=FxtcqC6R0LY

Related blog posts:

• "GDPR : who is concerned?"

• "The GDPR and the principles relating to the processing of personal data"

• "Legality of personal data processing: the different legal bases"

• "Register of personal data processing: what does the CNIL say?"

• "GDPR: Conditions applicable to consent and its exceptions"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our outsourced timeshare DPO services!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!