2018 signaled a major change in data privacy regulations– probably the most complex shift in the last decade. On 25 May 2018, the European Data Protection Regulation came into force and was also written into UK law on the same day, changing the way of handling personal data in Europe and Internationally where non EU organisations offer services to EU citizens or monitoring their behavior. So as we move into 2019 what is in store from the GDPR and the authorities which enforce the regulation?
The GDPR in 2018
Both pre and post May 2018, organisations launched projects to implement data processing measures and processes which are compliant with the requirements of the GDPR. The majority of large multinational started preparing long before the final date of 25 May and are now in a position to declare GDPR baseline compliance.Some would say that they are fully compliant but as the GDPR is still fluid and not finalised full compliance is still work in progress.
The position of the GDPR Regulators
The DPA’s ( data protection authorities) in the 28 member states of Europe had (and still have) a lot to do in order to finalise the GDPR.They are not only reliant upon to guide organisations on all things GDPR , but they also receive data breach notifications as well as consent and privacy-related complaints running into the thousands.
During the first few month after May 28th 2018 United Kingdom’s Information Commissioner’s Office ( ICO) reported a 160% increase in data breach complaints from the year before, Whilst whistleblowing reports on company data breaches in the United Kingdom have tripled.
Within the European union as a whole there have been and still are a number of high profile complaints lodged with data protections agencies in Europe against Google, Facebook, Instagram, and WhatsApp over “consent” being imposed upon data subjects. The GDPR prohibits such imposed consent and any form of bundling ( privacy consents requested for many entities under one consent request). a service with the requirement to consent (see Article 7(4) GDPR).
What is Bundling?
Bundled consent refers to a legal entity using a single document of consent request to ask an individual to consent to a wide range of collective consents without allowing the individual to choose which of the collective consents they wish to consent or opt out of.
Sanctions and fines?
The new requirements of the GDPR did not result in more (and higher) penalties and fines post 25th May. The majority of large data breaches reported in the first year actually occured before May 25th 2018 and therefore fines we applied to the
previous privacy act of 1998. But this trend cannot be maintained as more breaches come to light they will reach the cut off point and will be open to the full force of the GDPR article 84 GDPR penalties.
EU Representative requirements for non EU organisations.
Which companies need an EU representative under the GDPR?
Companies that do not have an office in the EU yet provide their products or services within the European Union must appoint an EU Representative in the Union if they process personal data (GDPR Art. 27(1)).
The GDPR extends the “territorial” scope of its application to processors and controllers who have their registered office outside of the European Union. The GDPR also applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). The focus is therefore not set on where the company is located and where the processing takes place as long as the processed data involves individuals residing in the EU.
Non-EU-based companies that offer products or services to “data subjects” (i.e. an identified or identifiable natural person) in an EU member state need to fulfill the requirements stated in the GDPR. This regulation is also applicable to services that are offered for free. The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), as long as their behaviour takes place in the EU.
What’s in store in 2019?
The data protection authorities ( DPA’s) are better prepared and resourced for the new year and new challenges ahead.
The Irish DPA for example have increased from around 30 employees to over 100.
We can and should expect greater scrutiny of privacy by design, consent capture, and the use of legitimate interest for a lawful basis to process personal data..
The DPA will be categorising companies into at least two groups, distinctions between companies which have at made an effort to comply with the GDPR requirements and those which were and are just not willing to make any effort.
Relentless Privacy and Compliance Services offer a range of services to both EU and International organisations to ensure that their data privacy strategy meets the requirements of the GDPR regulations.