A recent round table event hosted by The Lawyer took a timely look at developments in data protection and the GDPR. Clifford Chance Applied Solutions also took the opportunity of two full years of GDPR compliance to take a step back, draw breath and consider developments so far.
The era of active enforcement?
The first thing to note is that enforcement is genuine. Data Protection Authorities (DPAs) across Europe have increased the frequency and size of penalties imposed under the GDPR. An initial period of tolerance, allowing companies and organisations time to adjust to the new regulations and bed in their respective programmes, appears to have come to an end. Now, with every Data Protection Authority in each member state having issued at least one sanction, we appear to be entering an era of more active enforcement.
Small sums levied by authorities can be seen in many instances to have been sample cases designed to test the water. Fines have been low (compared to the headline figures permissible under the regulations) and so many companies have not tried to appeal. However, Data Protection Authorities have established precedents against which to set future fines.
What is apparent is that every industry sector has been affected. In the UK the Information Commissioner’s Office (ICO) has indicated an intention to fine Marriott Hotels nearly £100m after hackers stole the records of 339 million guests. The breach was due to a vulnerability within the Starwood hotels group in 2014. Marriott acquired Starwood in 2016, and the theft of customer information was discovered later. The ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood. What is striking in this example is the intention, not simply to pursue companies for nefarious acquisition of personal data but also (in this case) for simply holding on to personal data for too long.
Also of interest is the increasing scrutiny that Data Protection Officers (DPOs) are coming under. The GDPR stresses their independence and neutrality, but can this be demonstrated when the DPO is a member of the senior management team. An emerging best practice is for DPOs to have no role in the management function so the DPA cannot claim they are involved in data processing activities.
Perhaps the most striking trend to emerge is around Data Subject Access Requests (DSARs). The take up of these in the UK appears to be stronger than anywhere else in Europe. A more concerning development is the increase in companies not honouring data subject's exercising their rights to access data held about them.
It may take another two years under the regulation to show if this is down to a maturing of the company's data protection programmes, or a more cavalier attitude of companies to the issue of data privacy. What does look assured is that, based on current trends, the investigations and fines only look set to continue. We have been warned!
Non-compliant companies risk heavy sanctions. In a high-profile example, Google was fined 50 million euros (£44m) by the French DPA, the CNIL, for a breach of the EU’s data protection rules. So far, it remains the largest penalty. However, even smaller businesses must remain vigilant.