The European Union (EU) adopted the General Data Protection Regulation (GDPR) on 27 April 2016, but granted Member States (including a pre-Brexit United Kingdom) a 2 year implementation phase. The GDPR became applicable from 25 May 2018. In this article, we consider five of the most important consequences of the GDPR as it turns five.
The GDPR requires organisations to take responsibility in respect of their processing of personal data, and to be able to demonstrate the steps that they have taken to achieve compliance. Integral elements include data protection by design and default and records of processing activities.
Accountability obliges organisations to establish a documented and formalised data protection framework, rather than an ad hoc approach to compliance. However, it must be acknowledged that a proportion of organisations will still be playing catch up in 2021 and arguably beyond, due to the time consuming nature of this task.
Accordingly, it is important that senior management at organisations ensure that they provide ‘buy-in’ and appropriate resources for data protection compliance.
The GDPR has raised the profile of data protection in the public mindset. Individuals are increasingly aware that they have rights as data subjects and that organisations must comply with obligations in respect of the processing of their personal data. This has been borne out in respect of the growing prevalence of reporting on data protection concerns in the front pages of the mainstream media, initially hastened by intense transatlantic interest in the Cambridge Analytica story, which broke in the months leading up to the GDPR coming into force. Public interest in data protection is likely to gain further momentum in the event of further high profile personal data breaches and / or successful data subject compensation claims.
Accordingly, it is important that organisations consider how savvy their clients or customers are in respect of data protection when communicating with them, and continually account for the risks of reputational damage and financial losses in respect of their risk appetite and controls.
Brexit is one of the most significant political changes concerning the UK for generations. It is theoretically possible that a post-Brexit UK could diverge from the EU in respect of its view of the adequacy of data transfers to the US, but this would represent a significant gamble in that it would almost certainly have an adverse impact upon the UK’s impending adequacy decision from the European Commission (EC). However, it is overly simplified to assume that international data transfers are the only aspect of data protection law impacted by political considerations.
For example, the UK Government is currently in the process of recruiting a new UK Information Commissioner, but has received criticism from several MPs and peers who have asserted that: “The impression has been made that DCMS seeks an Information Commissioner that will work to remove protections within current laws, to reduce the risks of enforcement action, and rather than guarantee the rights of individuals, will seek to “balance” rights against concerns such as “regulatory certainty” and economic growth. That is, DCMS is seeking an Information Commissioner whose policy views match its own, rather than a regulator that will seek to enforce the law as Parliament has written it.”
Accordingly, it is important that organisations remain aware of and up to date with wider political developments that may impact on their data protection compliance and adjust their strategies as appropriate.
Supervision and enforcement
It was widely anticipated that the introduction of the GDPR, which substantially increased the amount that data protection authorities are empowered to fine organisations to £20,000,000 or 4% of worldwide annual turnover, would lead to a surge in the frequency and size of fines. The extent to which this expectation has now been realised is a matter of debate, however it is clear that the number and severity of fines imposed by data protection authorities have varied across Europe.
The Irish Data Protection Commission (DPC) have issued eight fines, approximately totalling €875,000 Euros, although this figure includes a single fine of €450,000 for Twitter and four fines totalling €200,000 relating to Tusla Child and Family Agency.
The UK Information Commissioner’s Office have issued four fines, approximately totalling £39,925,000, although the fines for British Airways and Marriott International Inc account for approximately £38,400,000 of that figure as well as the fourth and fifth highest fines imposed in Europe to date.
The data protection authorities in Belgium, Bulgaria, Czech Republic, Germany, Norway and Poland have imposed approximately 20-30 fines each, in Romania over 50 (approximately totalling €693,350), in Italy over 70 (approximately totalling €76,217,601) and in Spain over 220 (approximately totalling €29,402,510). The French data protection authority imposed the highest individual fine of €50,000,000 on Google Inc in January 2019.
Accordingly, it is important for organisations to be aware of and remain up to date with the regulatory strategies of the data protection authorities in each of the countries in which they process personal data, in order to increase their familiarity and understanding of how each of these authorities interpret the provisions of the GDPR and evaluate data protection risks. Such organisations should use this awareness to inform their approach to compliance and information risk management.
Arguably, the greatest success of the GDPR is not its impact upon data protection in the EU and the UK, but globally. Multiple non-European countries have or are in the process of, implementing their own data protection laws, to a significant extent in response to the GDPR and / or which are using the GDPR as a basis. Examples include Brazil, California, India, South Africa and Thailand.
There are two main reasons for these global developments. Firstly, pressure upon non-European governments from their own citizens has accumulated due to the perception that individuals whose personal data falls within the scope of the GDPR are afforded greater protections, for example in respect of the recent WhatsApp privacy notice update. Secondly, the invalidation of the EU-US Privacy Shield by the Court of Justice of the EU in its “Schrems II” judgment has highlighted that non-EU countries which do not have compatible laws with the EU and UK may find it difficult, if not impossible, to participate in international data transfers with the EU and UK.
Accordingly, it is important for organisations to be aware of and remain up to date about the data protection regimes under which they process personal data, whether directly or indirectly via a data processor (in particular, cloud computing). Such organisations should also consider whether or not it would be appropriate to establish a ‘baseline’ data protection standard to simplify the international obligations to which they may be subject, for example by designing a universal privacy notice template which complies with the most stringent requirement rather than designing a different template for each country.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of data protection compliance. We offer a range of data governance services, including compliance support. For more information please feel free to contact our advisers, who would be more than happy to help.