Interview in the Washington Internet Daily Vol. 21, no. 100 dated 22 May 2020 available here.

The need for resources depends on each DPA’s ambitions, emailed K&L Gates (Paris) data protection lawyer Claude-Etienne Armingaud. “White whale chaser” DPAs go after a limited number of large emblematic targets and/or impose major fines to “set resounding examples,” while the “sardine boxers” prosecute more limited profiles enterprises but for smaller amounts, he said. “It seems that all DPAs are active, each according to its means and with a common goal in mind: making it clear that no-one is exempt from potential fines.”

Companies are widely trying to comply, which in itself is a success for the GDPR, Armingaud noted. “Compliance is a moving target” because additional processing operations may have been carried out or previous ones changed in areas in which initial compliance efforts weren’t undertaken. Compliance also depends on how the regulatory framework and its interpretation evolve, he said. The major noncompliance issues Armingaud has seen “stem from over confidence by some clients—either brushing off the consequences of non-compliance or assuming that compliance on paper is sufficient.” The “corporate culture of data protection” that GDPR sought to introduce isn’t there yet, and data protection is still “perceived as a niche issue.”