Data breaches: cybersecurity more necessary than ever to ensure compliance of personal data processing with the GDPR
Corinne Thiérache
The importance of cybersecurity is constantly underlined by recent news in France (i.e the new investigation opened by the CNIL- the French authority responsible for ensuring compliance with GDPR – into the notable data leak affecting France Travail regarding its obligation to ensure the security of personal data according to article 5 f. of the GDPR). Moreover, the ANSSI – French authority for cyberdefence and network and information security – underlines that the methods used by cybercriminals have undergone significant evolution with the use of massive ransom campaigns based exclusively on data exfiltration (without ransomware deployment).
Several regulations engage the responsibility of those who had the obligation to protect the personal data exposed to cybercriminals :
- if the CNIL examination highlights an inadequate response protocol to the personal data breach or, upstream, insufficient technical and organizational security measures (art. 32 of the GDPR), it can hold the data controller or even its processor liable (for example, to financial penalty of up to a maximum of €20 million or 4% of worldwide annual sales). In 2023, 9 penalties were applied by the CNIL for breaches of security obligations including a 32 million euros penalty applied to Amazon France Logistique;
- the civil or criminal liability of the data controller may also be engaged in light of the French Criminal Code provisions providing that « carrying out or causing to be carried out a
processing of personal data without implementing the measures prescribed in art. 24, 25, 30 and 32 [of the GDPR]” exposes the controller to a five-year imprisonment and a fine of 300,000 €; - corrective measures and administrative penalties of up to 10 million euros or 2% of annual worldwide sales may be applied by the ANSSI on «operators of essential services» whose failed to implement the preventive measures to strengthen IT networks provided for in the NIS 2 Directive n°2022/2555 of December 14, 2022 on measure for a high common level of cybersecurity across the Union (art. 34). This Directive must be transposed by France before Octobre 17, 2024.
Faced with the risk of personal data leakage, prevention is better than cure: compliance cannot therefore be limited to a one-off action, it must be instilled at all levels of each entity and evolve with it over time, in line with the tools used (particularly those linked to Gen. AI). The ALERION team is at your side to support you in implementing the legal and organizational aspects of your structure’s cyber protection as well as the closely related GDPR compliance. It will also advise you on how to protect your company’s assets against cyber risks as cyber attackers have come to understand the value of the information assets their victims may possess (i.e know-how, intellectual property rights, trade secrets).