In 2022, we are celebrating the 4th anniversary of the General Data Protection Regulation implementation in Europe. This regulation has been created to ensure a sufficient level of protection when it comes to the personal data of European citizens. It applies to every single company storing and recording data in the EU. Today we will analyze and review several companies to check whether they are compliant or not.
In 2022, we are celebrating the 4th anniversary of the General Data Protection Regulation implementation in Europe. This regulation has been created to ensure a sufficient level of protection when it comes to the personal data of European citizens. It applies to every single company storing and recording data in the EU. Today we will analyze and review several companies to check whether they are compliant or not.
Most websites gather data by using different types of cookies and trackers. Under GDPR, some rules should be respected while collecting personal information. You can find more details in this post. We will here summarize some very important points recommended by the French Data Protection Authority, the CNIL (Commission Nationale Informatique et Liberté) :
Explore more privacy compliance insights and best practices
Let’s take two concrete examples to illustrate.
In the example below, you can see a perfect example of a bad player. This company is infringing on several requirements from GDPR :
This company is accumulating infringements. If any authority decides to control them, they are risking some heavy penalties and important brand reputation damage.
This other company is doing almost everything well but is not compliant on one very important point. Probably the solution they are using does not include automatic cookie blocking, if it does, then it means they are doing it on purpose. Because let’s face it, data has a lot of value and some companies are not willing to give up on even a tiny portion of it.
The short answer is no. We audited 300 European websites, from small to midsize companies to enterprise corporations. What we found out was expected but still shocking: 81% of those companies are not compliant with GDPR. Some of them are doing a few things right, some others are doing everything wrong. Something we notice quite often is that those non-compliant companies are underestimating the risk, even if numbers are there.
In 2021 more than 14 000 complaints were filed to the CNIL. This was a complete record and the DPA is stating that they aim to increase their controls and sanctions in the upcoming years. As a reminder, not complying with GDPR can end in a 4% annual worldwide turnover fine. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020).
Many DPOs would love their website to be 100% compliant and most of them are truly convinced of the benefits of GDPR implementation. While talking to many of them, we sometimes noticed their feeling of responsibility was limited only to personal training and raising awareness. They are quite limited in the actions they can engage in. Usually, a DPO will reply that ultimately, it is the legal responsibility of the CEO. That is a big mistake. A DPO should be the direct representative of GDPR within the company. You can find more information on five recurring problems that DPOs are facing regarding GDPR compliance and how to solve them.
The GDPR seems complicated, it contains a lot of legal wording and seems like a hard to read hundred pages document. That appears quite heavy and almost impossible to address. GDPR has been complexified. Hopefully, many companies are here to vulgarize it and make it understandable. Some organizations even created diverse technologies aimed to directly tackle this ongoing problem.
Some companies even adopted a Privacy by Design approach, which we strongly encourage.
At Secure Privacy, we try to make GDPR and every other Data Privacy law as easy to understand as possible. Our mindset is to analyze and understand legal inputs and turn them into a technology output and concrete steps and actions to take.
There are many ways to analyze if your domain is compliant or not. One of them is to take advantage of the Secure Privacy GDPR compliance scanner to get insights and recommendations quickly. Our scanner will :
If your website is not compliant, you want to have a look at some Consent Management Platforms and be sure the solution you choose meets legal requirements.
Having a compliant website is not a nice-to-have but a must-have. A lot of website owners are misevaluating and underestimating the risks of not being compliant. In case of infringements, the consequences are severe. It is not only about receiving a fine, it is about customers’ transparency, respect, and considering their data very seriously. Violating legal requirements is never good advertising for any company.
Schedule a call to learn more
