GDPR - one year on...
A year has now passed since the full implementation of the General Data Protection Regulation throughout the European Union. The International Association of Privacy Professionals (IAPP) have conducted research to assess the real impact of GDPR in its first year.
Here are some of their findings…
- More than 375,000 organisations have registered Data Protection Officers (DPOs) with their Data Protection Authorities (DPAs). That includes 32,000 that have registered with the Information Commissioner’s Office (ICO) in the UK.
- EU DPAs investigated more than 200,000 cases.
- More than 94,000 individual complaints were made regarding topics such as Subject Access Requests (SARs), unfair processing, the right to be forgotten and employee’s right to privacy. It is not possible to determine how many SARs were made in the UK as the ICO do not collect statistics – they just deal with complaints when SARs are mishandled or ignored.
- The number of Data Breach Notifications submitted to EU DPAs exceeded 64,000. In the UK, the number was 14,000, which compares to 3,300 in the previous year.
More than €56 million in fines have been levied for breaches of GDPR.
Significant increase in SARs...
Although we can’t be sure about the actual number of SARs in the UK, a survey conducted by the ICO in March found that 64% of DPOs had seen a significant increase in the number of customers or service users exercising their data protection rights. Around 41,000 concerns were raised with the ICO by members of the public during the year, 38% of which related to SARs. This compares to 21,000 concerns raised in the previous year.
Enforcement of GDPR
With regard to enforcement, the ICO has focussed a lot of its resources on breaches involving highly sensitive information affecting large groups or vulnerable people. They have used their full toolkit of regulatory powers but have used the most significant powers, on organisations and individuals suspected of repeated or wilful misconduct or serious failure to protect personal data.
The main sectors where reprimands or enforcement notices have been issued are health, central and local government, criminal justice, education, retail and finance. The health sector accounts for 16% of data breaches, local government 7% and lenders 6%.
The ICO has recruited 200 additional staff to help cope with the extra workload and it is seeking to recruit further during 2019/20, effectively doubling in size in the space of 3 years.
So, what about the next steps?
The European Commission issued a statement on the anniversary stating: “These game-changing rules have not only made Europe fit for the digital age, they have also become a global reference point. The priority for the upcoming months is to ensure proper and equal implementation of the GDPR in the member states.”
The Information Commissioner, Elizabeth Denham, said: “The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.”
The ICO is developing four new statutory codes of practice to underline the principles of the GDPR in key areas; data sharing; direct marketing; journalism; and children’s data.
It is important to remember the ICO’s often-stated view that privacy and data protection compliance is an ongoing journey and not a one-off tick box exercise.
To help your organisation we have a range of one-day GDPR courses which can be found here.