On May 25th, 2019, the General Data Protection Regulation (GDPR) turned one. The GDPR is still very much a work in progress. In this piece, data from the European Data Protection Board (EDPB) and various Data Protection Authorities (DPAs) are used to reflect on the one-year anniversary of the GDPR. Specifically, the following areas are discussed in this piece: the number and nature of complaints, investigations and Data Protection Officers (DPOs) notifications over the first year of the GDPR’s existence.
According to the EDPB, 281,088 cases were reported by DPAs during the first year of the GDPR. Of these, 144,376 were complaints whereas 89,271 were data breach notifications.
The top complaint categories appear to be similar across countries, though the language used by DPAs to describe them differs. The major complaint themes included the right to access data and to the right to restrict processing as well as concerns regarding data disclosures and unauthorised processing.
In Ireland, the Data Protection Commission(DPC) received 2,863 complaints between May 25th, 2018 and December 31st, 2018. Of these, 1,928 were GDPR-related. The largest category of complaints related to access rights (30%), followed by those concerning unfair processing of data (15%) and disclosure (11%).
The United Kingdom’s Information Commissioner’s Office(ICO) received 39,825 concerns between May 25th, 2018 and April 2019 in the form of requests for assessment. The ICO has noted that some of the concerns could be in relation to events that predated the GDPR’s entry into force. The top issues raised by the public over the past year were:
- data subject access requests
- disclosure of personal data
- the right to restrict the processing of data
Investigations and enforcement
The EDPB’s February 2019 report to the European Parliament indicated that 11 countries had imposed GDPR fines totalling approximately Euro 56 million.
The DPC in Ireland has launched 52 formal statutory inquiries under the GDPR, either based on complaints or of its own volition. According to the DPC, these are proceeding through the investigative phase. The scope of these investigations covers a cross-section of GDPR requirements, including transparency, lawful bases for processing, security of processing, and data breach notification requirements. Of the inquiries launched, the DPC has indicated 18 involve large tech companies. The DPC has indicated that the ad tech sector was and will continue to be a focus for the DPC due to concerns regarding profiling, particularly using sensitive data, the use of location data, and lack of lawful bases for processing.
For the ICO, fairness is an overriding theme in its investigations and enforcement actions, noting inquiries into unfair processing and lack of transparency. In terms of priorities, the ICO is looking at data brokers, the processing of children’s data, and ad tech. The ICO has taken 59 enforcement actions.
As of mid-May, the DPC has received 1,185 DPO notifications. Eight-hundred and seventy-four of these were from private-sector companies, 176 were from public-sector organisations and 135 were from charities. The DPC has conducted an initial analysis of public sector notifications and plans to remind those that have yet to register DPOs of their obligations.
The DPC plans to establish a Data Protection Officer Network in 2019, “to facilitate the sharing of good practice and lessons-learned through peer-to-peer DPO support.”
The ICO had received DPO registrations from 32,863 companies as of the beginning of May. While a significant number, it is worth noting that more than 600,00 organisations had registered with the ICO by the same date as organisations “that process personal information.” This registration and the applicable fee are required by the UK’s Data Protection Act (2018), unless the organisation is exempt.
What lies ahead
In summary, GDPR enforcement has been limited to date. In fact, it has tended to focus on big tech companies. However, we should expect enhanced frequency of activity in 2019, and going forward, both at the member state level and through the EDPB. It is fair to assume that any grace period afforded organisations is at an end. Trilateral’s Data Governance team is on hand to help your organisation navigate this nascent regulatory environment.
For more information please contact our Data Governance team: