If data protection doesn’t float your personal or professional boat, May 25th, 2018 probably passed unnoticed.
But if you’re concerned with compliance, you’ll probably remember it as the date when GDPR (General Data Protection Regulation) aligned and updated data rules across Europe for the digital age.
A year on, if you’re not sure how this legislation has changed the way we do business, want to know how it’s been enforced and would like five compliance fixes for your website, pop the kettle on and peruse this blog.
GDPR – the story so far
We won’t rehearse the intricacies of GDPR here — but if you need a refresher on its purpose and provisions, revisit this awesome archive blog.
What’s more relevant at this point is reviewing the ways it’s changed the business landscape, considering some stats on enforcement and working out which areas of compliance are proving problematic. Here are some broad developments:
- A February 2019 EDPB (European Data Protection Board) report revealed that relevant agencies across Europe have issue a total of 56 million Euros in fines from over 200,000 GDPR cases reported since its introduction, with around 52% of cases closed so far.
- 95,000 of these were complaints, while 65,000 were triggered by data breach reports by data controllers. 56 million is not to be sniffed at, but it’s worth bearing in mind that a whopping 55 million Euros of this grand total is accounted for by French compliance watchdog CNIL’s Google fine for the web giant’s lack of transparency and lack of valid consent relating to using data for personalising ads.
GDPR enforcement themes
A deeper dig into GDPR enforcement reveals a few emerging themes and, although taking a full legislative temperature check is tricky after only 12 months, there’s enough evidence to suggest that this rule is no paper tiger – it’s got teeth and regulators aren’t afraid to clamp down on companies with poor practice.
Law firm DLA Piper’s data breach survey report reveals that GDPR’s mandatory requirement to report breaches to regulators within 72 hours resulted in 59,000 such notifications across Europe in the 8 months from the introduction of the legislation to the end of January 2019. 10,600 of these were made by Britain, making it the third-biggest contributor after The Netherlands and Germany – and suggesting that the maximum fine of up to 20 million Euros or 4% of annual turnover is making people sit up and take notice of their responsibilities.
So thus far, the surge in reported data protection breaches is a notable trend, but significant others include transparency, consent and Data Subject Access Requests (DSARS):
- In September 2018, internet browser Brave launched a GDPR complaint with regulators in Ireland and the UK asking for an investigation across the EU into the behavioural advertising industry – specifically the alleged lack of transparency operators like Google and other ad tech firms provide to web users when collecting their data in order to build profiles and subsequently serve them with ads.
- Privacy International filed two GDPR complaints with authorities in the UK, France and Ireland against two credit reference agencies, two data brokers and three ad tech firms, alleging that they didn’t have a valid legal basis for processing data and had not provided the requisite level of transparency.
- The expected rise in DSAR requests has also manifested itself. Taking the medical industry alone as a prime example, December 2018 BMA stats revealed that patient data requests to GPs increased by a third since the legislation’s introduction.
Two potential attendant offshoots from these trends are noteworthy:
- Legal commentators are already warning that an increase in the general public and solicitor’s awareness of the legislation could result in an increase in class action-style lawsuits.
- HR departments should ensure that their data protection and retention systems are robust enough to cope with the significant admin burden associated with responding to a DSAR request.
The 50 million Euros CNIL/Google fine eclipses all others, but the German data protection authority levied an 80,000 Euro fine in January 2019 for publishing sensitive health data on the internet and the same regulator had previously fined a company 20,000 Euros for failing to encrypt employee passwords.
Other cases across Europe are still under investigation and, while it’s likely that the vast majority of these won’t result in the imposition of financial penalties, regulators haven’t been slow to embrace the opportunity to exercise the full extent of their powers when deemed necessary.
General GDPR compliance
General steps to GDPR compliance remain the same as ever and include:
- Checking your data protection policies and procedures are GDPR-compliant and ensuring all members of staff are aware of their responsibilities and receive appropriate training.
- Ensuring contractual relationships with customers and suppliers comply with GDPR, especially if they involve transfer of electronic data outside the EU.
- Knowing when it’s necessary to conduct a data protection impact assessment so that your regime aligns with the spirit of GDPR’s privacy by design.
- Making sure all staff know what to do to prevent data protection breaches and the appropriate action to take when a breach is identified.