GDPR: 1 year on

University of Edinburgh law student Nicole Pitches examines its impact over the past 12 months

The General Data Protection Regulation (GDPR) took the EU by storm, and everyone scrambled to maintain the highest standard of data privacy known to date. So what has the GDPR actually achieved in the past year? Have any major companies fallen victim to the dreaded fine of 4% annual global revenue?

Fines have indeed been distributed across Europe, with smaller organisations falling subject to the scrutiny just as much as larger ones. In March of this year, the president of the Polish Personal Data Protection Office (UODO) imposed a €200,000 fine (£180,000) to a relatively small organisation. The company knew about the GDPR requirement to inform data subjects of data processing activities, but failed to do so. As the data subjects were unaware of their rights, they were not able to object to the further processing of their data or request the data’s rectification or erasure. The director of the Analysis and Strategy Department at UODO, Piotr Drobek, revealed the controller had denied the information to over 6 million people, with the president claiming it was done intentionally.

By comparison, in May 2019 the Belgian equivalent of the UODO, the Belgian Data Protection Authority (DPA), issued a fine for just €2,000 (£1,800). The case was taken to the DPA’s Litigation Chamber, where it was found the defendant, a mayor, collected email addresses in order to send out electoral campaign-related materials, and thus violated the principles of the GDPR, namely article 5(1)(b) which states that the data collected must be for “specified, explicit and legitimate purposes” and not further processed for new, incompatible purposes.

Following the DPA’s decision in the mayor/email case, the UK’s Information Commissioner’s Office (ICO) announced that it would focus on the use of personal information in political campaigns, use of surveillance and facial recognition technology, artificial intelligence, big data and machine learning.

Elsewhere, Ireland set its sights on the major internet giants due to their taxation arrangements within the country. The head of Ireland’s Data Protection Commission, Helen Dixon, predicts that within the next month we’ll see the first enforcement action reach the European Data Protection Board. The response of companies has been to become “combative” by “lawyering up” — hardly surprising given the amount of EU scrutiny.

So far GDPR may not have forced organisations to cough up eye-watering amounts of money, bar a couple of exceptions, but plenty of data breaches have been reported to have occurred over the past year. In February 2019, DLA Piper revealed that over 59,000 breaches had been reported throughout Europe, with Germany, the Netherlands and the UK securing top spots for the highest number of breach notifications.

So, what have we learned from all this? PrivSec, a blog specialising in internet privacy and security, rightly points out that while the GDPR has brought about many challenges for business, it has upped data standards and increased the demand for privacy professionals. The very nature of the GDPR demands companies to engage in efficient and accurate documentation from the very beginning, improving the overall standardisation of data protection. General cybersecurity has also been vastly improved, with networks, servers and infrastructures being readily upgraded in order to limit the possibility of data breaches.

Since its implementation in Europe, the GDPR has prompted a number of other regulators to devise data protection and privacy legislation, such as Brazil’s Personal Data Protection Regulation and the Californian Consumer Privacy Act.

Despite the optimism surrounding the GDPR, there have been complaints that regulators have not been quick enough to issue fines. Of the €56 million (£50 million) dished out in financial penalties since GDPR’s implementation, €50 million (£45 million) was the result of just one single fine: the French DPA against Google in January of this year over its use of user data to create personalised adverts.

While this huge fine may seem to some like a major victory for data protection, it only makes up for 0.04% of Google’s total revenue in 2018. However, the EU has taken note of this, with the Dutch DPA creating a fining matrix to gauge how administrative fines should be calculated. There are reports other EU countries are looking to create something similar.

Now that a year has passed, the ICO has recommended that both large and small organisations move beyond mere “baseline compliance”, and start focusing on “accountability with a real evidenced understanding of the risks” posed to individuals. GDPR compliance will need to be continuously monitored, and while we have not yet seen any truly damaging data breaches, investigations continue, the results of which are eagerly awaited.

Nicole Pitches is a postgraduate law student at the University of Edinburgh. She recently completed her LLB at the University of Warwick.