GDPR one year on

SA Law’s Head of employment & Data shares his insight into what’s happened since the GDPR came into force in May 2018 and what trends & traps have most affected organisations.
Fri 28th Jun 2019

It has certainly been a busy year since the implementation of the General Data Protection Regulation (GDPR) with no signs that the topic will be fading into the background any time soon.

Data breaches and complaints

At a recent panel discussion, Stephen Eckersley, the Head of Enforcement at the UK’s Information Commissioner’s Office, said the UK had seen a “massive increase” in reports of data breaches since implementation of the GDPR.

In June 2018, companies self-reported 1,700 data breaches, and Mr Eckersley estimated that a total of around 36,000 breaches will be reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches.

This trend has been mirrored across Europe where nearly 60,000 breaches were reported during just the first eight months of the GDPR, according to a survey released in February 2019.

Enforcement and fines

During the first nine months that the GDPR was in effect, the total penalties imposed totalled almost 56 million euros, according to a report published in late February by the European Data Protection Board. However, it should be flagged that a fine levied against Google accounts for nearly 90 percent of that sum.

In January 2019, French data regulator, CNIL, fined Google 50 million euros for a breach of the GDPR after complaints were lodged by two privacy rights groups against the company. The groups claimed that Google did not have a valid legal basis, as required by the GDPR, to process user data for ad personalisation. In its finding, CNIL cited a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

CNIL found that Google had not obtained clear consent from users to process data as necessary information was provided over several documents. Further, the option to personalise ads was pre-selected with users giving consent for all the processing operations carried out by Google. CNIL stated that this was contrary to the GDPR which requires that consent is given for each specific purpose.

This decision highlights the importance for companies of thoroughly analysing all operations involving the processing of personal data to ensure GDPR-compliance and it demonstrates the authorities’ readiness to enforce the sanctions available.

Subject access requests

Arguably an unexpected consequence of the GDPR, employers have seen a sharp rise in subject access requests (SARs) from staff members. The new legislation gives additional rights to employees and makes the process of making SARs simpler. There is now no restriction on the number or regularity of SARs, employers must respond within a shorter timeframe and they cannot generally charge a fee. The prominence of data protection issues as a result of the introduction of the GDPR is also likely to have contributed to the increase.

The significant administrative and financial burden is something that companies may have failed to plan for in the lead up to the implementation of the GDPR. However, with the ICO confirming that mishandling of SARs remains the main source of complaint under the legislation, employers must be careful not to ignore them however much of an unwelcome distraction they may be.