GDPR What’s in store in 2019

GDPR What’s in store in 2019

2018 signaled a major change in data privacy regulations– probably the most complex shift in the last decade. On 25 May 2018, the European Data Protection Regulation came into force and was also written into UK law  on the same day, changing the way of handling personal data in Europe and Internationally where non EU organisations offer services to EU citizens or monitoring their behavior. So as we move into 2019 what is in store from the GDPR and the authorities which enforce the regulation?

The GDPR in 2018

Both pre and post May 2018, organisations launched projects  to implement data processing measures and processes which are compliant with the requirements of the GDPR. The majority of large multinational started  preparing long before the final date of 25 May and are now in a position to declare  GDPR baseline compliance.Some would say that they are fully compliant but as the GDPR  is still fluid and not finalised full compliance is still work in progress.

Small to medium-sized organisations needed more time and were sometimes struggling with the resources to implement all requirements the GDPR regulations. This is backed up by a survey result  which says that approximately 37% of SME ( small medium enterprises) were still non compliant  with most not going beyond the bare minimum measures of a website privacy and cookie policy. In the USA and International it could well be more.

The position of the GDPR Regulators

The DPA’s ( data protection authorities)  in the 28 member states of Europe had (and still have) a lot to do in order to finalise the GDPR.They are not only reliant upon to guide organisations on all things GDPR  , but they also receive data breach notifications as well as consent and privacy-related complaints running into the thousands.

During the first few  month after May 28th 2018 United Kingdom’s Information Commissioner’s Office  ( ICO) reported a 160% increase in data breach complaints from the year before, Whilst  whistleblowing reports on company data breaches in the United Kingdom have tripled.

Within the European union as a whole there have been and still are a number of high profile complaints lodged with data protections agencies in Europe against Google, Facebook, Instagram, and WhatsApp over “consent” being imposed upon data subjects. The GDPR prohibits such imposed consent and any form of bundling ( privacy consents  requested for many entities under one consent request). a service with the requirement to consent (see Article 7(4) GDPR).

What is Bundling?

Bundled  consent refers to a legal entity using a single document of consent request  to ask an individual to consent to a wide range of collective consents without  allowing the individual to choose which of the collective consents they wish to consent or opt out of.

Sanctions and fines?

The  new requirements of the GDPR did not result in more (and higher) penalties and fines post 25th May. The majority of large data breaches reported in the first  year actually occured before May 25th 2018 and therefore fines we applied to the

previous privacy act of 1998. But this trend cannot be maintained as more breaches come to light they will reach the cut off point and will be open to the full force of the GDPR article 84 GDPR penalties.

EU Representative requirements for non EU organisations.

Which companies need an EU representative under the GDPR?

Companies that do not have an office in the EU yet provide their products or services within the European Union must appoint an EU Representative in the Union if they process personal data (GDPR Art. 27(1)).

The GDPR extends the “territorial” scope of its application to processors and controllers who have their registered office outside of the European Union. The GDPR also applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). The focus is therefore not set on where the company is located and where the processing takes place as long as the processed data involves individuals residing in the EU.

Non-EU-based companies that offer products or services to “data subjects” (i.e. an identified or identifiable natural person) in an EU member state  need to fulfill the requirements stated in the GDPR. This regulation is also applicable to services that are offered for free. The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), as long as their behaviour takes place in the EU.

What’s in store in  2019?

The data protection authorities  ( DPA’s) are better prepared and resourced for the new year and new challenges ahead.

The Irish DPA for example have increased from around 30 employees to over 100.

We can and should expect greater scrutiny of privacy by design, consent capture, and the use of legitimate interest for a lawful basis to process personal data..

The DPA  will be categorising companies into at least two groups, distinctions  between companies which have at made an effort  to comply with the GDPR requirements and those which were and are just not willing to make any effort.

Relentless Privacy and Compliance Services offer a range of services to both EU and International  organisations to ensure that their data privacy strategy meets the requirements of the GDPR regulations.

Sharing is caring!

error: Content is protected !!