GDPR Compliance Guide for French Businesses: Everything You Need to Know

The General Data Protection Regulation (GDPR) — known as RGPD in France — has been in force since 2018, yet many businesses still fall short of full compliance. With fines reaching EUR 20 million or 4% of global annual revenue, and France's CNIL stepping up enforcement, getting this right is no longer optional.

This practical guide covers essential obligations and recent changes, including the 2025 AI transparency requirements.

Why the Stakes Are High

Violation Type	Maximum Fine
Technical violations	€10M or 2% of revenue
Rights violations	€20M or 4% of revenue

CNIL has issued over €400 million in fines since GDPR took effect. SMEs are not exempt — penalties ranging from €50,000 to €500,000 regularly hit organizations of all sizes.

The 7 Core Obligations

1. Informed Consent

Consent must be:

• Freely given — no pre-ticked boxes
• Specific — one consent per purpose
• Informed — clear explanation of data use
• Unambiguous — positive user action required

2. Records of Processing Activities

Mandatory for organizations with over 250 employees, but recommended for all. Must include purposes, data categories, recipients, retention periods, and security measures.

3. Data Protection Officer (DPO)

Required for public bodies, organizations processing data at scale, and those handling sensitive data. Even without obligation, appointing a DPO is best practice.

4. Data Protection Impact Assessment (DPIA)

Required when processing is likely to result in high risk to individuals' rights. Examples: video surveillance, profiling, health data processing.

5. Breach Notification

When a data breach occurs:

• 72 hours to notify CNIL
• Notify affected individuals if high risk
• Document every breach, even minor ones

6. Right to Information

Every individual must know what data is collected, why, how long it's kept, who has access, and how to exercise their rights (access, rectification, deletion, portability).

7. AI Transparency (New in 2025)

Since 2025, organizations using AI for automated decisions must inform individuals, explain the logic used, and allow them to contest decisions.

How to Share Compliance Documents Securely

GDPR compliance documents contain sensitive information: processing records, impact assessments, audit reports, correspondence with regulators.

Sending these via regular email creates additional exposure. LOCK.PUB lets you create a password-protected link with automatic expiration to share documents with your DPO, lawyer, or CNIL. The link self-destructs after viewing — enhanced compliance.

Free CNIL Tools

CNIL offers several free tools:

• PIA: open-source impact assessment software
• Processing records template (downloadable from cnil.fr)
• Subprocessor guide (vendor obligations)
• Sector-specific frameworks (health, HR, customers)

GDPR Compliance Checklist

• Up-to-date processing records
• Published privacy policy
• Compliant cookie banner
• Documented consent processes
• DPO appointed (if required)
• Breach notification procedure
• Vendor contracts with GDPR clauses
• Staff training
• DPIA for high-risk processing
• Process for responding to data subject requests

Common Mistakes

1. Confusing consent with legitimate interest — these are two distinct legal bases
2. Over-retaining data — keeping data "just in case" is illegal
3. Forgetting about vendors — you're responsible for your processors
4. Neglecting security — GDPR requires appropriate technical measures
5. Ignoring data subject rights — you have 1 month to respond

Conclusion

GDPR compliance is an ongoing process, not a one-time project. Rules evolve, CNIL tightens enforcement, and citizens' privacy expectations keep rising.

Start with the fundamentals — records, transparency, security — and build from there. When you need to share sensitive compliance documents, use LOCK.PUB to do it safely.

---

Data protection isn't just a legal obligation. It's a commitment to your customers and employees.