A year on, is GDPR all hype?
On 25 May, 2018, the General Data Protection Regulation came into effect – the culmination of months (and years, for some) of preparation and anticipation that brought to mind the Y2K phenomenon. One year on, was the hype justified?
In the months before the effective date, many of us were inundated with communications providing us with updated privacy notices and encouraging us to consent to the processing of our personal data. The scramble to obtain consent (whether or not processing was actually based on consent) was probably prompted by the headlinegrabbing fines that the Information Commissioner’s Office (ICO) would have the power to impose – up to €20 million, or 4 per cent of annual turnover. Many data practitioners waited with bated breath for the first sizeable fine under the new regime, but 12 months on, this has yet to occur.
The majority of fines and enforcement notices to date remain legacy com
plaints under the Data Protection Act 1998 or fines under the Privacy and Electronic Communications Regulations 2003. But it is highly likely that the ICO will turn its attention more fully to the new regime once these are resolved.
While the levels of fines across the EU have not increased as expected, a notable exception is the €50m fine issued to Google by the French regulator CNIL for GDPR breaches. Google is set to appeal and many will watch with interest. Absence of large fines aside, the effect of GDPR has been felt in other ways.
A marked increase in the number of data breaches reported to the ICO has been noted, with around 9,000 in 2018. Organisations are now required to notify the ICO of all breaches likely to pose a risk to data subjects. However, anecdotal evidence suggests many, in a desire to be transparent, are reporting breaches which do not meet the reporting threshold. There has also been a rise in data subject requests, in particular for access to personal data and the right to be forgotten.
In November the ICO issued the first fines for failure to make payment of the data protection fee, and in 2018 issued 103 fines totalling £99,200. Relatively easy pickings for the ICO but a clear indication that compliance is required.
Of course there is also the issue of Brexit. Britain’s withdrawal from the EU (or not) has caused many to think again about data sharing with Europe and the rest of the world. The outcome of the negotiations will undoubtedly affect international transfers.
It is safe to say that the first year of GDPR has not been as remarkable as expected in terms of enforcement action, but rather a work in progress for the ICO, with guidance and codes of practice still being updated amid a bedding-in process. It seems likely that this is simply the end of the beginning and, as 1998 Act cases conclude, GDPR will make its presence felt again.
Lynn Richmond, partner, BTO Solicitors.