Deborah Dillon is Lead Auditor, Business & Platform Solution for Atos UK&I. She specialises in information governance, including the application and implementation of data protection processes and procedures across a wide range of organisational areas. Deborah is a member of our Privacy Committee.
The arrival of the General Data Protection Regulation on 25 May 25 2018 was highlighted in the media with a high-profile public awareness campaign that informed people of their new rights around their personal information and warned businesses of their responsibility about how they used this information. For me personally, as a Data Protection professional of many years, this meant that now friends and family finally understood the principles that I had been ‘banging on about’ for years previously! data protection is newsworthy, with people now understanding what I actually do for a living.
The UK Information Commissioner, Elizabeth Denham, gave a speech to the International Privacy Forum on 4 December 2018 in which she said that the Information Commissioner’s Office (the ICO) had received over 8,000 notifications of data breaches since the end of May 2018. That is compared with just 3,311 notifications between 1 April 2017 and 31 March 2018, and 2,565 between 1 April 2016 and 31 March 2017.
So far, the evidence of any significant enforcement activity is pretty slim; the European Data Protection Authorities (DPAs) continue to wade through very high work volumes, not least in dealing with over 50,000 data breach notifications since the GDPR came into force last year. However, we are now starting to see examples of the type of business behaviour that is likely to jump the data enforcement queue as well as grab media attention. This does not mean that investigations are not being undertaken behind the scenes by the UK and EU Data Protection Authorities and it is highly likely that we will start to hear again about some of the headline-grabbing breaches that we have seen in recent months and organisations being hit with large fines over the next year.
Some European regulators have already imposed fines. According to the Brussels-based board, there were 11 imposed under GDPR as of the end of March, totalling €55 million in penalties.
The biggest was against Google which was slapped with a €50 million fine by the French regulator CNIL (Commission nationale de l'informatique et des libertés). One of the key themes arising from these complaints is the level of detail that is expected to be included in the transparency information provided to data subjects. For example, in its statement on the Google fine, the CNIL said that Google’s “purposes of processing are described in a too generic and vague manner“, and “that the information about the retention period is not provided for some data.”
The introduction of the GDPR has had other, rather unexpected, applications. For example, Prince Harry’s lawyers invoked the GDPR to argue that a helicopter taking pictures inside his home had invaded his privacy.
So whilst we look ahead to the next year of GDPR compliance across the EU and beyond, and the impending fines under GDPR coming to fruition as case law in this area continues to be built upon and precedents set. Companies that have embraced GDPR as part of the fabric of their digital strategies are already seeing benefits in terms of privacy friendly innovation and growth of their customer bases. GDPR may be viewed as a driver towards increased customer trust and overall business growth. So, 2019 could be the year when the ways companies that comply with GDPR get more uniform across industries, positively affecting customer perspectives.