It has been over six months since the General Data Protection Regulation (GDPR) came into effect, meaning that now is a good time to look at how the new rules have been enforced. In the lead up to GDPR being implemented, many companies realised they were unprepared for the new rules and started working on compliance just months before the deadline. GDPR gives the Data Protection Authorities of EU member states the power to fine companies up to €20 million or 4% of annual turnover. In these early days however, we have not seen any Data Protection Authorities issue large fines like this. This does not guarantee that large fines will not happen in the future though.
The authority responsible to data protection in the UK is the Information Commissioner's Office (ICO). They have only brought one GDPR enforcement notice against a company. In September, Canadian digital advertising company AggregateIQ was given 30 days to audit its data processing operations or face a fine. The company is currently appealing against the enforcement.
Fines from the ICO are not the only GDPR concern for companies, many lawsuits have been initiated by privacy activists against large companies. Facebook and Google are being sued by Austrian privacy activist Max Schrems, who is seeking multi-billion-euro fines from each over their data collection practices. Regulators are also seeing a rise in complaints about data protection - possibly due to the increased attention on data privacy due to GDPR. The ICO saw complaints during the three months after GDPR was implemented more than double compared with the same three months a year earlier.
There is still much work to be done by companies to become compliant. Surveys of businesses conducted by many organisations show that many companies are taking a potentially risky “wait and see” approach. A survey of human resources departments by software company CIPHR found that only 61% of companies surveyed were deleting personal information as required by the rules. Similarly, a survey by IT Governance found that just 29% of companies had plans to change their processes to comply with rules which allow individuals to access data held on them.
While we have not yet seen large fines from regulators over GDPR, it is still extremely important that businesses improve compliance due to uncertainty around both the possibility of regulators taking a less conservative approach in the future, and the threat of lawsuits over inadequate data protection. Indeed, the European Data Protection officer Giovanni Buttarelli has told the Reuters news agency that we should expect to see the first GDPR fines by the end of this year.