Arguably the biggest fear of the GDPR for organisations was the potential fines, up to the greater of €20 million or 4% of annual global turnover. As the supervisory authorities have also been dealing with pre GDPR breaches over the past year, such as Facebook, Equifax and Uber, the full impact of the new fines remains to be seen. However, in a February 2019 report the European Data Protection Board (EDPB) revealed that since the GDPR came into force supervisory authorities across the EEA have imposed a total fine of €55,955,871. Notably the majority of this total fine was absorbed by Google. On 21 January 2019, Google received the largest fine under the GDPR, it was fined €50 million by the French data protection regulator, the CNIL, for 'a lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation'.
Guidance on fines
Going forward the EDPB has encouraged supervisory authorities to harmonise their approach to calculating and applying fines across the EEA. It intends to publish guidance to assist with this. In the absence of any EDPB guidance, on 14 March 2019 the Dutch data protection regulator, Autoriteit Persoonsgegevens, was the first supervisory authority to publish national guidelines on administrative fines. It's unclear when we can expect the EDPB's guidance but it's plausible that such guidance could draw inspiration from the Dutch approach. Please note however that any EDPB guidelines would override any national guidelines. Interestingly the ICO mentioned at an IAPP conference in March 2019 that it's been working with the Dutch and Norwegian data protection authorities to develop a fining matrix. Ultimately these steps are a clear indication that fines are at the forefront of the supervisory authorities' minds, as such we can expect to see more fines under the GDPR and hopefully a more consistent approach across the EEA when calculating and applying these fines.
Another big concern for organisations was complying with the data breach notification requirements under the GDPR. As such over the past year there has been a significant increase in data breach reporting. Over 65,000 data breach notifications have been reported to supervisory authorities across Europe. In September 2018, at a cyber-security conference the UK's Deputy Information Commissioner James Dipple-Johnstone highlighted the problem of controllors 'over-reporting' breaches. He said that the ICO appreciates that understanding the reporting threshold will be an issue for organisations in the GDPR's infancy however in future it will discourage any such over-reporting.
Data subject rights
As expected, individuals have become far more aware of their rights under the GDPR than previous data protection legislation. The ICO reported that the top three issues raised by individuals over the past year were: data subject access to personal data, disclosure of data and the right to prevent processing.
On 30 May 2019, in an ICO blog the UK Information Commissioner, Elizabeth Denham, stated that 'the focus for the second year of the GDPR must be beyond baseline compliance'. Organisations must focus on accountability and ensuring that they can demonstrate they understand the potential risks to individuals when processing their personal data and how best to mitigate those risks. While there is no doubt that implementing the GDPR has been onerous for organisations, data protection compliance does not need to be viewed as an obstacle to overcome. In a new era where individuals are more aware of their rights under data protection law and more concerned about how their personal information is processed, if an organisation can demonstrate effective data protection compliance this can inspire trust and confidence in its customers and employees and set itself apart from other organisations.
It's safe to say over the past year organisations and data subjects have taken notice of their respective obligations and rights under the GDPR. As it has been a transitional year it is still too early to assess the full impact of the GDPR as of yet. It is still very much a work in progress, but going forward an increased focus for organisations should be on accountability and privacy by design and default to ensure that data protection compliance is embedded within standard business practices and is not just a box ticking exercise.
DWF's Data Protection Team can assist you with your ongoing data protection compliance. Please contact us directly or at DataProtection@dwf.law
Authored by Sarah Moss