CNIL’s first assessment of breaches since the GDPR

The French Data Protection Authority CNIL reports (in french) that in the first four months of the GDPR being enforced it received 742 notifications of data breaches concerning more than 33-million data subjects in France. The majority of the notifications were breaches of confidentiality that took place via hacking and intentional theft. It’s quite an alarming finding that points to inadequate data security measures, including malware protection, especially in the accommodation and food service sector, which accounts for the majority of the breaches.

72-hours compulsory notice

The CNIL noted that most notifications took place after the 72-hour notice period stipulated by the regulation, which means that organisations are either unfamiliar with the procedures that need to be followed for a data breach under the new data privacy law, or that they’re unaware of how big the fines are for not being compliant with the law. The CNIL warns that for non-compliance with the GDPR, it intends to fine companies 10 million euros or 2% of their annual turnover, whichever is greater. However, if the CNIL receives a breach notification within 72 hours of the company becoming aware of it, it’ll be willing to assist and advise the company in taking steps to limit the consequences of the breach. Many companies are beginning to use dedicated GDPR compliance software that assists in all aspects of GDPR compliance and enables you to manage a data breach automatically.

3 advices from the CNIL

With more and more breaches expected, the CNIL advises companies to take action. At the very least, do these three things:
  • Plan for security and data protection at the very start of each project
  • Educate staff on data security and potential risks
  • Update security on operating systems, servers and databases as often as possible