Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

New CNIL Accountability Standard May Become European Model

The chairwoman of the French data protection authority (the CNIL), Isabelle Falque-Pierrotin, has long been an outspoken proponent that companies should have internal accountability mechanisms for data protection compliance.  On January 13, 2015 the CNIL published a standard defining what accountability means in practice.  Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.

The accountability seal does not create any new rights for a company under existing French law.  Rather, the primary purpose of the CNIL’s new accountability standard is to prepare companies for the day when accountability will become a legal obligation under the future EU General Data Protection Regulation.  Under the draft Regulation as currently proposed, all companies will be obligated to implement some form of internal accountability program for compliance with the Regulation, sometimes referred to as a “data privacy governance” program.  The draft Regulation is not likely to contain details indicating what an accountability or data privacy governance program looks like in practice.  The CNIL standard is therefore likely to create a precedent to which other European regulators may look when they develop their own accountability standards under the Regulation.

The CNIL’s accountability standard is divided into 25 requirements.  The first requirement relates to the existence of an internal privacy policy defining the various permitted uses of data within the company as well as security, data deletion, and archiving policies.  The second requirement is to have an outward-facing privacy policy vis-à-vis data subjects located outside the company, such as customers.  These policies must be approved by the company’s data protection officer (DPO) and updated at least every three years.

The next ten requirements relate to the company’s DPO.  These requirements provide a fairly detailed picture of what likely will be expected of a DPO under the future Regulation.  For example, appointment of a DPO is likely to become obligatory for most companies.  More important, as demonstrated by requirement 5 of the standard, the DPO will have a strategic role within the enterprise and should have a direct reporting line to a member of the executive board.  Under the CNIL’s standard, the DPO must be adequately trained and the company must ensure that the DPO has an adequate budget to fulfill his or her tasks.

Requirement 10 states that the DPO must be responsible for implementing the company’s data privacy governance program, which it should accomplish by defining internal validation procedures that new products or systems must satisfy.  The DPO also must be consulted at the beginning of key projects.  Requirement 11 states that the DPO must create a comprehensive map of data processing operations within the company, including external data transfers, the use of external processors, and a risk assessment for the various processing operations.  The DPO also would be responsible for administering an internal training program and for assisting the CNIL in any investigations.  The DPO must ensure that the company conducts a risk assessment for processing operations that create particular risks for data subjects, and that adequate measures are put into place to address the identified risks.  For processing operations identified in the risk assessment as meeting this risk threshold, the company must conduct periodic audits to determine whether adequate safeguards have been put into place.

The company also must have a procedure in place to deal with questions and complaints from data subjects.  The company’s IT system must generate and retain logs relating to security threats, and the company must adopt and implement a crisis management plan to deal with data breaches.

On the whole, the CNIL’s accountability standard shows what it considers to be an ideal data privacy governance program.  It also contains a detailed job description for a “new generation DPO” as envisaged by the drafters of the proposed EU Regulation.  For companies thinking about how to put together an accountability program in preparation for the new regulation, the CNIL’s standard provides a valuable benchmark.  However, given the ambitious list of requirements contained in the CNIL standard, it seems doubtful that many companies could implement the full package and thereby obtain the CNIL seal of approval.  The main obstacle likely to be encountered by most companies is budgetary.  To meet the CNIL’s standard, a company implementing a data privacy governance program would need a full-time DPO with enough seniority to have a strategic role within the organization.  A full-time position of this type requires a budget that companies may have difficulty justifying during a period of general headcount reduction.

For a multinational group, the position of Chief European Privacy Officer will probably be located in the country of the group’s main establishment in Europe, and likely will implement many of the accountability measures listed in the CNIL’s standard.  Consequently, the “new generation DPO” described in the CNIL’s accountability standard is likely to correspond to the role of the “European Chief Privacy Office.”  For a group present in several European markets, the investment in an experienced CPO makes sense in light of the accountability requirements that are likely to appear in the upcoming European Regulation.

In sum, the CNIL’s standard can help companies move forward in developing accountability programs that are likely to be in compliance with the EU Regulation, even before the Regulation’s adoption.