In the lead up to commencement of the GDPR (General Data Protection Regulation) on 25th May 2018, there was a mix of concern, panic and scepticism about the advent of a new era for data privacy. By 25th May 2018, most people had heard of GDPR, some understood its key focus and others dismissed it or paid very little attention – possibly believing it was all hype.

“One year on the statistics tell us that indeed the Regulation has made a difference.” That’s according to Eoghan Doyle, partner specialising in corporate, commercial and data protection law.

Eoghan says: “It has made a difference in the awareness of individuals of their rights when it comes to the use of their personal data and for businesses and government bodies it has made a difference in the way they address risk. Where data protection might have once been put to the back of the line in terms of risk priorities, companies recognise that their customers place real value in protecting their data. Consequently, other businesses want to know that their counterpart will not cause them a liability issue or a complaint to the regulator.

What we are seeing is that compliance with GDPR can help or hinder commercial opportunities – depending on how an organisation is dealing with it. If they are not prepared when it comes to complying with the law, projects are stalled, contracts are lost, and the risk of complaints is increased.”

Key Statistics

  • €56,000,000 in fines.
  • 91 fines have been handed down.
  • 4,113 complaints in Ireland over the course of 2018, up 56% year on year.
  • There were more complaints lodged in the 6-month period following GDPR coming into force than there was for the whole 12-month period of 2017.
  • In the UK, for the period 25 May 2018 -31 October 2018, data protection related cases with the regulator (the ICO) was up 133% when compared to the same period in 2017.
  • Breach reporting has spiked – In Ireland, in the 6-month period post GDPR, there was a rise of 27% of reported breaches compared with the whole of 2017 (and a 70% rise when comparing 2017 and 2018 as a whole). Across Europe over 59,000 breaches were reported (the top three countries being the Netherlands, Germany and the UK). While in the UK, by September 2018 (4 months after GDPR coming in) the ICO received 500 reports of breaches per week!
  • GDPR is inspiring other jurisdictions to adopt similar approaches – including the USA, Australia, Japan, Brazil and Canada.

More informed customers and regulatory teeth

The statistics reveal a growing trend for individuals making complaints, awareness of companies of their obligations in reporting breaches (although the data tells us that breaches have been over reported – i.e. they did not need to be reported) and the impact in monetary terms that the Regulation can have on business.

The largest fine imposed to date was against Google and imposed by the French supervisory authority, CNIL. The case involved breaches of the rules on transparency, inadequate information provided to service users and failure to obtain valid consent regarding ad personalisation. See other cases to date in the note below.

Challenges in practice

In our practice, the challenges we see organisations facing include: negotiation of contractual liabilities when it comes to breaches of GDPR, demonstrating compliance to investors or a buyer of a business, and effecting change in day to day practices in a way that is privacy focused.

Data protection and Brexit has also been a key challenge for organisations and will continue to be so for the foreseeable future. If a no-deal Brexit occurs, the UK would become a third country for the purposes of the GDPR, thus requiring extra protections to be taken in order to transfer personal data to the UK. The most common solution to this has been to plan to implement the EU Commission approved Standard Contractual Clauses (SCCs) which implement contractual safeguards between data exporters and data importers where personal data is being transferred outside the EEA. The first step for any business however is to draw up a list of your suppliers or companies you deal with in the UK, identify the data that is transferring and assess whether this should continue. If the answer is yes, you should start the process of reviewing contracts and putting in place appropriate safeguards for a no-deal scenario.

Conclusion

While the level of potential fines grabbed most of the headlines in the lead up to 25 May 2018, the GDPR was not brought into being to just impose fines on businesses. The main goal of the Regulation is to protect individuals’ privacy rights, empower citizens to take meaningful action and where appropriate, hold companies to account where they cross the line. The reality is, every complaint referred to above is capable of leading to a fine or take up key personnel time in dealing with it. Organisations want to avoid this, and this is evident in the time and effort we see being put in by companies to protect them and reduce the likelihood of a complaint being made against them.

The statistics clearly demonstrate that there is greater awareness of data protection rights since GDPR has come into effect and what is more, citizens are prepared to take action and regulators are tooled up to follow through on complaints – the Irish DPC’s funding has risen from €1.7m in 2013 to €11.7m in 2018 and during the same period staff numbers have grown from 30 to 110 which is expected to increase even more. At the end of 2018, the DPC had 15 live investigations into big tech companies, now at 19 just this week, it was confirmed that an investigation is underway by the DPC into Google for its online advertising business model and what is known as “real time bidding” of users’ personal data (where your data is traded in an online marketplace as companies compete to get your attention).

All the indicators are that there is an insatiable appetite for businesses to monetise our personal data – regardless of the rules – while at the same time individuals are increasingly exercised about their rights and they, along with the regulators, are taking action. The two cannot always co-exist. So, while the GDPR was not a revolution in and of itself, but rather it built on an already existing privacy framework, it most certainly has changed attitudes and behaviours – and in that regard, it is absolutely working.

Note – Other International GDPR Fines

  • The Hungarian SA (NAIH) issue a 3,135m fine on a company for denying a data subject access request;
  • The Portuguese SA (CNPD) impose a €400k fine on a hospital for: a violation of the data minimisation principle, a violation of processing basic principles, and also a violation of integrity and confidentiality as a result of non-application of technical and organisational measures to prevent unlawful access to patient data;
  • The UK SA (ICO)fine Bounty (a support club for parents) €454k for sharing 34.4 million records to advertisers, consisting of information of records of 14.3 million individuals. Bounty’s privacy policy language did not provide sufficient notice of the company’s sharing practices, nor was it sufficient to constitute consent to share parents’ information with advertisers; and
  • The Italian SA (Garante) impose a €50k on website operator for lack of implementation GDPR-related security measures, including: a vulnerability assessment to be periodically repeated on the platform, and a system aimed at strengthening passwords to be used for the creation of the accounts. Interestingly, the fine was not against the Italian political party Movimento 5 Stelle as data controller of the platform, but rather against the Rousseau association as data processor.