This article appears in the May 2019 edition of Valemus Law's THE BRIEF, a monthly email newsletter containing the latest legal news and opinion from our lawyers. To download your copy, please click on the button above. To subscribe to our monthly news round-ups, please email firstname.lastname@example.org with 'Subscribe to The Brief' in the subject line.
GDPR One Year On
by Rob Beardmore, Senior Editor, Practical Law In-House
Reproduced with kind permission from Practical Law
25th May marked the first birthday of the EU General Data Protection Regulation (GDPR). While this time a year ago, up to our necks in updating privacy policies, getting subject access procedures up to standard, delivering training and so on, perhaps few of us would have been wishing this complex behemoth of privacy law well!
But with twelve months on the clock, and safe in the knowledge that the world didn’t end on 25 May 2018, it is worth stopping to reflect briefly on how far we have come in such a short space of time. Some key numerical snippets:
- 1,792 breaches were reported to the ICO in June 2018 (compared to 657 in May and 367 in April 2018).
- 12 EU member state data protection authorities (DPAs) have issued fines under the GDPR but there have been no GDPR fines issued so far by the ICO.
- The largest fine in data protection history – €50 million – was imposed by the French CNIL on Google in January of this year for failing to comply with transparency and information obligations and failing to have a legal basis for the processing of personalised advertising.
- 5,518 claimants brought a class action (under the GDPR’s predecessor, the Data Protection Directive) against Morrisons supermarket and won. Subject to the appeal, UK employers are now vulnerable to vicarious liability for GDPR breaches by employees and future class actions.
- 103 monetary penalties were issued in 2018 for failure to pay the ICO’s registration fee.
A press release issued by the European Commission highlights some further statistics which illustrate the significant progress in privacy rights the GDPR has brought for individuals, not least in terms of simply raising awareness.
Not only have more that two-thirds of Europeans now heard of the Regulation, new figures show that nearly six in ten people know that there is a data protection authority in their country. This is a significant increase from four in ten people back in 2015.
This raising of the awareness bar of course has brought with it the raising of data protection as a corporate risk, in many cases right to the top. Certainly many millions of pounds have been invested in state of the art compliance programmes and systems. But anecdotally companies have also reported significant improvements in data governance – through data minimisation as well as anonymisation and other security techniques – leading to improved cyber resilience and better decision-making through overall improvement in the quality of the data that is now being retained.
The apparent success of the GDPR has seen many copycat laws springing up across the world, perhaps most notably in California, the home of the tech giants, but also in countries as diverse as Japan, Brazil and Kenya.
On many measures the GDPR has had a good first year and has already changed the landscape but, as it begins to find its feet, we shouldn’t gloss over the many teething problems, and baby analogies aside, challenges that will continue to vex us. A recent article in PLC Magazine, GDPR one year on: taking stock, provides a detailed examination of some of these key themes, in particular:
- The state of limbo while we wait for the E-Privacy Regulation.
- The continued emergence of privacy campaigners (such as Max Schrems) and consumer rights groups.
- The real world HR implications of vicarious liability post-Morrisons.
- The big uptick in data subjects exercising their rights, often for reasons that present a risk to the controller and the rise of the third party aggregators helping data subjects.
- In spite of guidance, the continued uncertainties around when parties are acting as controllers, processors or joint controllers and the implication for contracts and transactions generally.
- The circumstances under which to report data breaches and the records to keep to provide a defensible position.