On 25 May 2018 the GDPR came into effect - the culmination of months (and years, for some) of preparation and anticipation that brought to mind the Y2K phenomenon. One year on, was the hype justified?
In the months prior the effective date, many of us were inundated with communications providing us with updated privacy notices and encouraging us to consent to the processing of our personal data. The scramble to obtain consent (whether or not processing was actually based on consent) was likely prompted by the headline grabbing fines that the Information Commissioner’s Office (ICO) would have the power to impose – up to €20 million or 4 per cent of annual turnover. Many data practitioners waited with bated breath for the first sizeable fine under the new regime, but 12 months on, this has yet to occur.
The majority of fines and enforcement notices to date remain legacy complaints under the Data Protection Act 1998 or fines under the Privacy and Electronic Communications Regulations 2003. But it is highly likely that the ICO will turn its attention more fully to the new regime once these are resolved.
While the levels of fines across the EU have not increased as expected, a notable exception is the €50m fine issued to Google by the French regulator CNIL for GDPR breaches. Google is set to appeal and many will watch with interest. Absence of large fines aside, the effect of GDPR has been felt in other ways.
A very marked increase in the number of data breaches reported to the ICO has been noted, with around 9,000 in 2018. Organisations are now required to notify the ICO of all breaches likely to pose a risk to data subjects, however anecdotal evidence suggests many, in a desire to be transparent, are reporting breaches which do not meet the reporting threshold. There has also been a rise in data subject requests, in particular for access to personal data and the right to be forgotten.
In November, the ICO issued the first fines for failure to make payment of the data protection fee, and in 2018 issued 103 fines totalling £99,200. Relatively easy pickings for the ICO but a clear indication that compliance is required.
Of course, there is also the issue of Brexit. Britain’s impending withdrawal from the EU (or not) has caused many to think again about data sharing with Europe and the rest of the world. The outcome of ongoing negotiations will undoubtedly impact international transfers.
It is safe to say that the first year of GDPR has not been as remarkable as expected in terms of enforcement action taken, but rather a work in progress for the ICO, with guidance and codes of practice still being updated and a bedding-in process undoubtedly taking place. t would be complacent to think that GDPR was nothing but hype. The ICO has consistently emphasised the need for compliance and over the past year there has been a significant increase in media interest in the use and regulation of personal data in all sectors. It is inevitable that other regulators will follow suit after the CNIL fine and the exercise of data subject rights is likely to continue to increase. It seems likely therefore that this is simply the end of the beginning and as 1998 Act cases conclude, GDPR will make its presence felt again.
- Lynn Richmond, partner, BTO Solicitors