Since May 2018, companies and organisations have been given time to fully come to terms with the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. This is both an enlightened approach to enforcement and a practical necessity. Rushed enforcement could compromise the quality of decisions and trust in the UK’s and EU’s data protection regulators. During this pause in enforcement, several EU regulators set up new systems, increased staff and in some cases reinvented themselves. At the same time, many EU regulators were inundated with complaints and personal data breach notifications which stretched their resources and extended their response times. In addition to this, all EU regulators are now legally required to consult each other about key decisions to encourage transparency and consistent interpretation across the EU. However, enforcement, including fines, have now begun and these will increase in frequency and impact in the coming months and years.
GDPR enforcement and interpretation will come from various sources. As a result, companies and organisations should look beyond the UK Information Commissioner’s Office to test and update their data governance standards, GDPR compliance and cyber security resilience. Firstly, the European Data Protection Board (EDPB) is a key player, acting as the EU’s super regulator for data protection. Its published opinions and guidance are highly respected in interpreting and applying GDPR. Secondly, the UK and EU courts will play an increasing role, because these courts are currently considering key cases that could redefine the boundaries of the GDPR, including for key pre-GDPR tools like EU Standard Contractual Clauses, for international data transfers. These court decisions could require changes to current commercial deals and past contractual arrangements at great expense to businesses. Thirdly, high quality sector and industry-produced data protection codes of practice and certifications will be increasingly considered as baseline compliance and become standards against which relevant GDPR and cybersecurity practices will be judged. Fourthly, companies and organisations must look at other key data protection regulators around the world, such as the US Federal Trade Commission whose data privacy decisions about the largest US technology companies, will affect countless other companies and organisations in the UK. Finally, for UK and Irish organisations, the type of Brexit that is agreed will determine the future reality of UK GDPR enforcement and the status of critical personal data flows in and out of the EU, after any exit.
Key lessons can be learnt from the first fines, enforcement decisions and guidance in the UK, France, Germany, Netherlands and elsewhere. Accountability is a key principle in the GDPR. It is now clear that cybersecurity breaches will lead to large fines, where a lot of personal data are lost or stolen, even after simple human error or where flaws are discovered in the organisation’s procedures. Companies and organisations must get the basics of GDPR right, such as clearly informing individuals about data use and having fair, simple and transparent consent processes. The data protection risks attached to new technologies such as adtech, artificial intelligence and facial recognition must be subjected to robust Data Protection Impact Assessments and the outcomes of these must clearly inform how personal data are used. Privacy by Design and privacy by default are central to effective compliance, these are not mere add-ons. Crucially, Data Protection Officers must be qualified, well trained, independent, give frank advice and be empowered to make decisions and act.
Amid the flurry of activity generated by fines, enforcement decisions, GDPR opinions, guidance, codes of practice and certifications, companies and organisations must remain composed, outcome-focussed and yet, adaptable. Relevant GDPR and cybersecurity developments must be identified, interpreted and effectively applied to the organisation, allowing agreed new norms to be absorbed into the operations. GDPR, cybersecurity, legal, audit and operational perspectives must be gathered and rationalised. For present and future GDPR and cybersecurity enforcement, the question is no longer have you complied and how. It is more demanding. Why has compliance been done in that way, what risks have been identified and how have these risk levels been effectively and continuously addressed? This requires very clear analysis, ongoing review, an understanding of the limits of the law, knowledge of the shades of interpretation as well as an awareness of the challenges of real-life GDPR application. Fines and enforcement always test theories and best intentions against reality.