GDPR: one year on

What have we learned from the 12 months that the General Data Protection Regulation has been in force? Ibrahim Hasan reports.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25th May 2018 with much fanfare. The biggest change to data protection law in 20 years, with GDPR carrying a maximum fine of 20 million Euros or 4% of gross annual turnover (whichever is higher), the marketing hype, emails and myths came thick and fast.

There has been no avalanche of massive fines under GDPR. According to a progress report by the European Data Protection Board (EDPB), Supervisory Authorities from 11 EEA countries imposed a total of €55,955,871 in fines. This is not a large amount when you consider it includes a 50 million euro fine on Google issued by the French National Data Protection Commission (CNIL). It followed complaints from two privacy groups who argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

EPDB figures also show:

• 67% of Europeans have heard of GDPR
• Over 89,000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing
• There have been 446 cross border investigations by Supervisory Authorities

Despite the warnings of data armageddon, Year one of GDPR has mostly been a year of learning for Data Controllers and one of raising awareness for Supervisory Authorities. The Information Commissioner’s Office (ICO) in the UK, has produced a GDPR progress report in which it highlights an increased public awareness.In March it surveyed Data Protection Officers. 64% stated that they either agreed or strongly agreed with the statement ‘I have seen an increase in customers and service users exercising their information rights since 25 May 2018’.

The ICO has not issued any fines yet but has used its other enforcement powers extensively. It has issued 15 Assessment Notices and 11 Information Notices in conjunction with various investigations including into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. Two Enforcement Notices have been issued against a data broking company and the HMRC respectively as well as warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance. (25/6/19 STOP PRESS  – Enforcement notices have been served (25th June), under the 1998 and 2018 Data Protection Acts on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.)

The ICO is planning to produce four new codes of practice in 2019 under GDPR. Here are the dates for your diary:

• A new Data Sharing code. A draft code for formal consultation is expected to be launched and the final version laid before Parliament in the autumn.
• A new Direct Marketing code to ensure that all activities are compliant with the GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations (PECR). A formal consultation on this will be launched with a view to finalising the code by the end of October.
• A Data Protection and Journalism code. A formal consultation on this will be launched with a view to laying the final version before Parliament in the summer.
• A code of practice on political campaigning. The code will apply to all organisations who process personal data for the purpose of political campaigning, i.e. activity relating to elections or referenda. A draft will be published for consultation in July 2019.

Year 2 of GDPR will no doubt see more enforcement action by the ICO including the first fines. According to its progress report though, it will continue to focus on its regulatory priorities which are cyber security, AI Big Data and machine learning, web and cross device tracking for marketing purposes, children’s privacy, use of surveillance and facial recognition, data broking, the use of personal information in political campaigns and Freedom of Information compliance.

Finally, depending on whether there is Brexit deal, we may see some changes to GDPR via the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which came into force in March this year.

Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog. Information on the company's courses can be found on Local Government Lawyer's courses and events section.

Want to know more? Ibrahim is presenting a GDPR Update webinar in July. For those seeking a GDPR qualification, Act Now's highly popular practitioner certificate is the best option. Read the testimonials here.