A version of this post originally appeared in GDPR Report
Happy Birthday GDPR! It’s been one year since the European Union’s General Data Protection Regulation (GDPR) came into effect (May 25, 2018). What have we learned over this past year? Do companies have a full grip with compliance requirements for data collection and processing? How serious have Data Protection Authorities (DPAs) been about enforcement? And how has GDPR impacted other national data protection regulations?
GDPR compliance requires ongoing attention, which brings its own set of challenges; the biggest of which has been resourcing, both financial and in personnel. Finding the right people to do the work is difficult and demand for seasoned privacy professionals is increasing. It is vital that organisations document their policies and procedures more efficiently, including engaging the business.
Buy in from the board for ongoing compliance is also a significant challenge for companies. When the threat of huge fines and sanctions were highlighted at the start of conversations around the impact of GDPR, it understandably captured the attention of boards. However, keeping data protection front of mind, will be an ongoing challenge.
During the first few months after GDPR came into operation, many DPAs started with exploratory investigations, mainly offering recommendations and guidance for companies in breach, as well as to the business community at large. In effect, DPAs allowed a bit of leeway and the opportunity for organisations to (quickly) get their houses in order. However, this phase is now largely over. DPAs are ramping up enforcement and contraventions are being sanctioned.
We have seen numerous examples of this across different countries and industries, including some involving huge global organisations. Indeed, according to a report to the European Parliament from the Chair of the European Data Protection Board, Andrea Jelinek, eight months after the implementation of the GDPR 206,326 complaints had been filed with DPAs, of which almost 65,000 were data breaches.
The highest profile fine levied has been the widely reported €50m against Google by France’s DPA earlier this year, for a lack of transparency and clarity around how it informed the general public about its handling of personal data, as well as the lack of processes in place for obtaining consent for receiving personalised ads. However, there have also been several other examples involving smaller, less known organisations illustrating how seriously breaches are being treated by DPAs across Europe. This includes a €220,000 fine issued to a Polish company in late March for failing to inform individuals that their data would be processed. This was the first fine issued by the Polish Personal Data Protection Office (PDPO).
While fines can have a significant impact on the reputation of a company, even for those who can afford it, organisations must also be aware of the risk of a temporary or indefinite suspension of processing. There have been two recent examples of DPAs levying this penalty.
The Dutch DPA has sanctioned the country’s tax authorities for using the national identification number as part of the VAT return number for self-employed persons. According to the DPA, the use of the national identification number for this purpose has no foundation in law and increases the risk of identity fraud. As of 1 January 2020, the processing of the national identification number for VAT purposes is therefore prohibited. In Malta, the DPA imposed a similar, but temporary, sanction on the country’s national land register while it investigated how the authority has been processing a data breach. The end result is that no more data can be compromised while investigations take place, something we may well see more of in terms of temporary processing bans being implemented in other countries.
The influence of GDPR on other global legislation among countries not in the European Union has continued to grow since May last year. In Europe, Switzerland, Norway, Iceland, and Liechtenstein have aligned regulations almost identically with the GDPR. Numerous countries in Africa and South East Asia are also seeing data protection laws on the rise, particularly those that want to do business with Europe. The Indian parliament is currently debating data protection legislation reflecting aspects of GDPR, while South Korea is updating its regulations with the hope to achieve adequacy in the coming year. Potentially, the country’s current multiple data privacy laws could be combined into one omnibus law that can be considered ‘essentially equivalent’ to the GDPR.
Meanwhile, new laws coming into effect in Brazil and California have also been influenced by GDPR. The LGPD, Brazil’s first General Data Protection Law, will enter into force on 15 August 2020 and like GDPR is an omnibus law, covering many principles of data protection.
In California, the California Consumer Privacy Act (CCPA) enters into application on 1 January 2020, but organisations have been advised not to wait too long with implementing the CCPA requirements, since consumer requests can cover data for the 12 months preceding the request. The legislation is partly inspired by GDPR, but certainly not identical, covering mainly data subject rights, but none of the other accountability obligations included in the GDPR.
The most common aspect of GDPR being replicated globally is the guidance around data subject rights, data breaches and accountability requirements. More countries are implementing regulations to help with international data exchange and we expect to see more cases of legislation incorporating elements of GDPR in the coming years.
Going forward, it will be critical for businesses to keep up to date with regulator guidance and enforcement decisions from their country’s respective DPA in order to know when internal processes may need updating. When it comes to GDPR, and the UK and Europe specifically, organisations should monitor the European Data Protection Board website, which also has started reposting information from national DPAs, as well as ongoing guidance. The penalties for non-compliance and the potential reputational risk are severe and companies cannot afford to let their privacy programmes lapse.
To mark this milestone, we created a new infographic looking at the numbers on how GDPR compliance and enforcement has progressed this past year.
To keep up to date on the current state of enforcement and investigations related to the GDPR, sign up for our webinar on May 29.