As per the European Data Protection Board (EDPB), the application of the General Data Protection Regulation (GDPR) in the first two years has been successful, considering it has strengthened data protection as a fundamental right and clarified the interpretation of data protection principles.
The GDPR has triggered an increasingly worldwide concern with personal data protection issues resulting in further investment across industries to achieve compliance. This has increased accountability and resulted in greater awareness of data protection issues at all levels.
However, the implementation of GDPR has been particularly challenging due to the impact of requirements, which has led organisations to be particularly thoughtful about the data they collect, process, use, share, store and dispose, guarantying that it is only to the necessary extent. There are several reasons for this, including fines and reputational risks as well as enforcement for Supervisory Authorities’ (SAs) powers and Data Protection Officer (DPO) requirements.
According to EDPB’s latest questionnaire (February 2020), from May 2018 to November 2019, 22 SAs made use of this corrective power issuing approximately 785 fines, which means that only 8 SAs within the EU have not imposed any fine during this period. Moreover, most of these fines are related to the following GDPR requirements:
- Personal data processing (Art. 5);
- Lawfulness of processing (Art. 6);
- Valid consent (Art. 7);
- Processing of special categories of personal data (Art. 9);
- Transparency and data subjects’ rights (Art. 12 to 22);
- Security of processing and data breaches (Art. 32 to 34).
For instance, in October 2019, following complaints from telephone subscribers, the Greek SA fined a Telecom group 400 thousand euros for violations of GDPR’s principle of accuracy and data protection by design. Subscribers were subjected to advertising calls after an error that kept them off a do-not-call list, provided to third-party advertisers, and by not having appropriate measures in place to respond to data subject’s requests to unsubscribe from the unwanted calls.
Also, in October 2019, the Romanian SA fined a bank 150 thousand Euros for inadequate data protection, plus 20 thousand euros to a credit company for not notifying the SA. This data breach was related to the violation of the GDPR’s security of processing requirements when data from identity documents of more than one thousand individuals were transferred via WhatsApp from the credit company to two bank employees for credit eligibility score purposes.
The overall number of fines has been continuously increasing since the GDPR came into force, as shown in Figure 1.
The increased accountability felt by the organisations since the implementation of the GDPR, led Celfocus to face data protection compliance as a business enabler and to strengthen awareness on this topic, promoting a data protection culture within the organisation.
Internally, Celfocus has nominated a DPO and a dedicated Information Security and Privacy Team that works daily, in cooperation with all Business Units, to meet GDPR’s data protection principles among other functions related to Information Security, Business Continuity Management, Risk Management, Compliance and Quality.
While approaching the first evaluation and review of the GDPR, carried out by the European Commission, which is due by May 2020, it is important not only to celebrate the GDPR’s achievements but also to consider how its application can be further improved because, despite all the work that has been done over the last two years, compliance with the GDPR is an ongoing job that requires the commitment of everyone.