Please click here to read Part I of this article.
Future GDPR regulatory landscape
Higher risk of enforcement on the horizon?
In the GDPR's first year we have seen a large number of complaints and data breach notifications to regulators but comparatively few enforcement actions and fines. There are likely several reasons why enforcement activity has been relatively slow so far. First, a number of DPAs will have faced challenges in preparing for GDPR themselves; they are likely to have needed to expand their existing resources and to equip themselves for new cooperation mechanisms such as the "one-stop-shop". Secondly, some DPAs may also have chosen to allow organisations more time to complete or improve their GDPR compliance programmes and therefore opted for a relatively light-touch approach to enforcement in the past year. Instead many spent time and resources on preparing guidance for business. Thirdly, the reality is that during the GDPR's first year, many DPAs will still have been primarily concerned with historic infringements which occurred pre-GDPR, and therefore needed to be dealt with under the previous legislation. However, things may change now that DPAs have been allocated more resources and started to recruit more staff, and have gained some experience in cooperating on cross-border cases (over 400 cross-border cases requiring some form of cooperation among the regulators have been reported as of 22 May 2019). As noted above, some DPAs, like the ICO and IDPC, have also suggested that they intend to intensify their enforcement activities over the coming months.
Increased privacy awareness among Internet users, consumers and individuals
Individuals across the EU have become increasingly aware of their data protection rights. The latest figures from the EU Commission (as of 22 May 2019) show that 67% of Europeans have now heard of the GDPR and 57% know that a public authority in their country is responsible for safeguarding their rights. The figures also indicate that 20% of Europeans even know which public authority is responsible. This heightened awareness is likely to be attributable in part to DPAs having become generally more active in public campaigns aimed at individuals; for example, the ICO recently launched an initiative to raise public awareness of online targeting and individual profiling. Increased awareness is likely to result in more requests from individuals to exercise their rights and more complaints to DPAs, which may ultimately lead to more investigations and enforcement actions.
More complaints by not-for-profit organisations
A number of complaints to the DPAs have been brought by not-for-profit organisations (such as "None Of Your Business" (NOYB), led by privacy activist Max Schrems). Under the GDPR, individuals can mandate these organisations to act on their behalf for data protection violations. Given that data security breaches and other violations of the GDPR usually involve a large number of individuals, over time this could lead to large numbers of claims by not-for-profit organisations.
Sandboxes and other similar business-friendly initiatives by regulators
The ICO seems to be paving the way in helping businesses comply with data protection law while using data in innovative ways. To this purpose, the ICO has launched a "sandbox" initiative to assist and advise selected organisations from different industries with respect to innovative data usage and data protection compliance. The ICO is also looking at ways to foster the use of privacy-enhancing technologies (based for example on anonymization, pseudonymization, homomorphic encryption and differential privacy). In time, other DPAs across the EU may also develop business-friendly initiatives which promote technological innovation.
What should organisations do in light of these regulatory trends?
· Continue embedding privacy and information security in their general risk assessments, taking into account a heightened enforcement risk over the coming months as a consequence of a more mature regulatory framework.
· Prioritise compliance with the core GDPR principles (including accountability, transparency and lawfulness of data processing e.g., notice and consent).
· Watch out for regulatory developments in their country (or countries) including guidelines on specific thematic or industry areas.
· Consider participating in sandboxes (where there is appetite to experiment with innovative data usage in a safe regulatory environment) or other initiatives by their competent DPAs.
· Make the most of tools and resources which are made available by DPAs to facilitate compliance.
· Continue to foster a culture of privacy in the organisation (including emphasis on training, data subject rights and requests, breach reporting, information security, and compliance documentation).