Each year, the CNIL, the French supervisory authority for data protection, publishes its control programme for the application of the #GDPR rules, i.e. the issues to which it will give priority. This control programme complements other sources of control such as complaints received by the CNIL, reports from other European supervisory authorities, initiatives related to current events, etc.
The control programme for 2021, which was published on the 3rd of March 2021, sets the following priorities:
The publication of this control programme is an opportunity for the CNIL to assess the achievements of the previous year.
Just a few figures for 2020: the CNIL carried out 6,500 acts of investigation, including 247 formal control procedures and 50 in areas (health data security and the use of cookies) that are part of the priorities of the 2021 programme.
The CNIL points out that “website security failures are among the most frequently observed during investigations and can lead to data breaches (2,825 notifications received in 2020, i.e. 24% more than in 2019)”. The CNIL will focus its controls on “personal data collection forms, the use of HTTPS protocol and the compliance of actors with the CNIL recommendation on passwords” but also “the strategies put in place to protect against ransomware”.
The CNIL notes “the ever-increasing challenges linked to the digitisation of the health sector (management of access to computerised patient records within health establishments, online medical appointment booking platforms, management of personal data breaches in health establishments, etc.)”.
The supervisory authority aims to lead data controllers and processors “to raise the level of security of people’s health data”.
The CNIL’s objective is “to ensure compliance with the obligations regarding the targeting of advertising and profiling of Internet users”, its scope of control being extended to “rules relating to the collection of consent” in the light of the guidelines and the recommendation of the 1st October 2020.
In its communication of the 3rd March 2021, the CNIL also states that it will “continue to cooperate with its European counterparts on cross-border processing” according to the cooperation methods of mutual assistance (= sharing information between European supervisory authorities) and joint operations (= controls in France or in an EU country iwiths officials from the competent supervisory authorities).
This is therefore an opportunity for data controllers and processors to review their policies on website cybersecurity, health data security and the use of cookies.
Better late than never.
