Tomorrow it will have been one year since GDPR came into force. We’re sure many still remember the hard work during the weeks and months leading to implementation; the uncertainty that surrounded the new legislation; and who could forget the hundreds of desperate ‘repermissioning’ emails from flustered retailers that flooded our inboxes. Well, without wanting to bring up bad memories, now seems a good opportunity to look at what we have learnt in the last year.
The first thing we learnt was that the sky did not fall, as some had predicted. And, fortunately, supervisory authorities did not immediately fine everyone and anyone with their new enhanced powers. That being said, we have seen some significant enforcement action: Google was fined €50,000,000 by the CNIL (the French supervisory authority); and Facebook was fined £500,000 here in the UK by the ICO for pre-GDPR breaches (interestingly the ICO has stated that had these offences occurred post-GDPR the fine would have been substantially more). So, whilst there hasn’t been consistent significant enforcement action as some had predicted, the possibility of it remains a threat and therefore GDPR compliance must be seen as an ongoing project.
We also learnt that fears about huge increases in the number of subject access requests were, in many sectors, very accurate. Such rights requests, where controllers can no longer charge even a nominal fee, have been somewhat weaponised with many examples of data subjects using these as leverage to make a controller’s life more difficult. The courts had previously found under DPA 1998 that there is a high bar for a controller to refuse a request so our advice remains that controllers should treat all requests received as valid unless there are exceptional circumstances.
We have of course learnt a great deal more in the last 12 months. And whilst many of the fear mongers have proven to be hyperbolic, we strongly advise that all controllers (and processors) continue to keep GDPR compliance high on the agenda to ensure that they do not draw the attention of the supervisory authorities.