by GDPR Associates | 5th July 2019 8:52 am
What have we learned from the 12 months that the General Data Protection Regulation has been in force? Ibrahim Hasan reports.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25th May 2018 with much fanfare. The biggest change to data protection law in 20 years, with GDPR carrying a maximum fine of 20 million Euros or 4% of gross annual turnover (whichever is higher), the marketing hype, emails and myths came thick and fast.
There has been no avalanche of massive fines under GDPR. According to a progress report by the European Data Protection Board (EDPB), Supervisory Authorities from 11 EEA countries imposed a total of €55,955,871 in fines. This is not a large amount when you consider it includes a 50 million euro fine on Google issued by the French National Data Protection Commission (CNIL). It followed complaints from two privacy groups who argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.
EPDB figures also show:
Despite the warnings of data armageddon, Year one of GDPR has mostly been a year of learning for Data Controllers and one of raising awareness for Supervisory Authorities. The Information Commissioner’s Office (ICO) in the UK, has produced a GDPR progress report in which it highlights an increased public awareness.In March it surveyed Data Protection Officers. 64% stated that they either agreed or strongly agreed with the statement ‘I have seen an increase in customers and service users exercising their information rights since 25 May 2018’.
The ICO has not issued any fines yet but has used its other enforcement powers extensively. It has issued 15 Assessment Notices and 11 Information Notices in conjunction with various investigations including into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. Two Enforcement Notices have been issued against a data broking company and the HMRC respectively as well as warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance. (25/6/19 STOP PRESS – Enforcement notices have been served (25th June), under the 1998 and 2018 Data Protection Acts on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.)
The ICO is planning to produce four new codes of practice in 2019 under GDPR. Here are the dates for your diary:
Year 2 of GDPR will no doubt see more enforcement action by the ICO including the first fines. According to its progress report though, it will continue to focus on its regulatory priorities which are cyber security, AI Big Data and machine learning, web and cross device tracking for marketing purposes, children’s privacy, use of surveillance and facial recognition, data broking, the use of personal information in political campaigns and Freedom of Information compliance.
Finally, depending on whether there is Brexit deal, we may see some changes to GDPR via the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019which came into force in March this year.
Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog. Information on the company’s courses can be found on Local Government Lawyer’s courses and events section.
This article was originally posted here: https://localgovernmentlawyer.co.uk/information-law/344-information-law-features/40938-gdpr-one-year-on
Source URL: https://www.gdpr.associates/gdpr-one-year-on-3/
Copyright ©2020 GDPR Associates unless otherwise noted.