29 May 2019 | 10.39 am
Guest Blog: Eoghan Doyle, Philip Lee Solicitors
One year later, is GDPR working?
29 May 2019 | 10.39 am
Protecting citizens’ data is the goal of the GDPR, and a year after its introduction it’s off to a flying start, says Eoghan Doyle (pictured), data protection specialist and partner at Philip Lee
In the lead-up to the implementation of the General Date Protection Regulation (GDPR) on 25 May 2018, there was a mix of concern, panic and scepticism about the advent of a new era for data privacy. By last May, most people had heard of GDPR, some understood its key focus and others dismissed it or paid very little attention — possibly believing it was all hype.
One year on, the statistics tell us that indeed the regulation has made a difference. It has made a difference in the awareness of individuals of their rights when it comes to the use of their personal data, and for businesses and government bodies it has made a difference in the way they address risk.
Where data protection might have once been put to the back of the queue in terms of risk priorities, companies recognise that their customers place real value in protecting their data. Consequently, other businesses want to know that their counterpart will not cause them a liability issue or a complaint to the regulator.
What we are seeing is that compliance with GDPR can help or hinder commercial opportunities — depending on how an organisation is dealing with it. If they are not prepared when it comes to complying with the law, projects are stalled, contracts are lost, and the risk of complaints is increased.
- €56,000,000 in fines
- 91 fines handed down
- 4,113 complaints in Ireland over the course of 2018, up 56% year on year
- More complaints were lodged in the six-month period following GDPR than for the whole of 2017.
In the UK, for the period 25 May to 31 October 2018, data protection related cases with the regulator (the ICO) were up 133% compared with the same period in 2017.
Breach reporting has spiked — In Ireland, in the six months after GDPR, reported breaches rose 27% compared with the whole of 2017 (a 70% rise comparing 2017 and 2018 as a whole).
Across Europe over 59,000 breaches were reported, with the top three countries the Netherlands, Germany and the UK. While in the UK, by September 2018 the ICO received 500 reports of breaches per week.
GDPR is inspiring other jurisdictions to adopt similar approaches, including the USA, Australia, Japan, Brazil and Canada.
The statistics reveal a growing trend of individuals making complaints, growing awareness by companies of their obligations in reporting breaches (although the data tells us that breaches have been over-reported) and the impact in monetary terms that the regulation can have on business.
The largest fine imposed to date was against Google and imposed by the French supervisory authority, CNIL. The case involved breaches of the rules on transparency, inadequate information provided to service users, and failure to obtain valid consent regarding ad personalisation.
In our practice, the challenges we see organisations facing include: negotiation of contractual liabilities when it comes to breaches of GDPR, demonstrating compliance to investors or a buyer of a business, and effecting change in day-to-day practices in a way that is focused on privacy.
Data protection and Brexit has also been a key challenge for organisations and will continue to be so for the foreseeable future. If a no-deal Brexit occurs, the UK would become a third country for the purposes of the GDPR, thus requiring extra protections to be taken in order to transfer personal data to the UK.
The most common solution to this has been to plan to implement the EU-approved Standard Contractual Clauses (SCCs) which implement contractual safeguards between data exporters and data importers where personal data is being transferred outside the EEA.
The first step for any business, however, is to draw up a list of suppliers or companies dealt with in the UK, identify the data that is transferring and assess whether this should continue. If the answer is yes, you should start the process of reviewing contracts and putting in place appropriate safeguards for a no-deal scenario.
While the level of potential fines grabbed most of the headlines in the lead-up to 25 May 2018, the GDPR was not brought into being to just impose fines on businesses. The main goal is to protect individuals’ privacy rights, empower citizens to take meaningful action and where appropriate, hold companies to account where they cross the line.
The reality is, every complaint referred to above is capable of leading to a fine or taking up the time and energy of key personnel in dealing with it. Organisations want to avoid this, and this is evident in the time and effort we see being put in by companies to protect themselves and reduce the likelihood of a complaint against them.
The statistics clearly demonstrate that there is greater awareness of data protection rights since GDPR has come into effect and, what is more, citizens are prepared to take action and regulators are tooled up to follow through on complaints — the Irish DPC’s funding has risen from €1.7m in 2013 to €11.7m in 2018 and during the same period staff numbers have grown from 30 to 110, and is expected to increase even more.
At the end of 2018, the DPC had 15 live investigations into big tech companies, now up to 19. An investigation is under way by the DPC into Google for its online advertising business model and what is known as “real time bidding” of users’ personal data (where your data is traded in an online marketplace as companies compete to get your attention).
All the indicators are that there is an insatiable appetite for businesses to monetise our personal data, regardless of the rules, while at the same time individuals are increasingly exercised about their rights and they, along with the regulators, are taking action.
The two cannot always co-exist. So, while the GDPR was not a revolution in and of itself, but rather it built on an already existing privacy framework, it most certainly has changed attitudes and behaviours — and in that regard, it is absolutely working.
+ Eoghan Doyle is a partner specialising in corporate, commercial and data protection law