On 25th May 2019 it will be one year since the General Data Protection Regulation (GDPR) came into force.
The GDPR is an EU regulation which introduced more stringent requirements for companies regarding the personal data they hold and process about data subjects based in the EU. It increased the fines that Data Protection Authorities (DPAs) can impose for breaches to up to 4% of global revenue. In the UK, the GDPR replaced the Data Protection Act 1998.
Increase in notification of data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Under the GDPR, it is mandatory for companies to notify their DPA of any data breaches that are likely to “result in a risk for the rights and freedoms of individuals”. The deadline for notification is 72 hours after having become aware of the breach.
The UK’s DPA, the Information Commissioner’s Office (ICO) received significantly more notifications of data breaches after the GDPR came into force.
The ICO reported that, since the end of May 2018 when the GDPR came into force, it has received over 8,000 notifications of data breaches.
To put this figure into context, the ICO received:
2,565 notifications between 1st April 2016 and 31st March 2017
3,311 notifications between 1st April 2017 and 31st March 2018
Increase in requests from data subjects
The GDPR increased the control that data subjects in the EU have over the personal data that companies hold on them and what they can do with it. For example, individuals have the right to access their data, the right to have their data erased and the right to be informed about how their data will be processed.
Following the implementation of the GDPR, companies saw a huge increase in erasure requests and data subject access requests (DSARs).
DSARs can be particularly problematic for companies because if, for example, a former employee requests data that spans many years, then it can be incredibly time consuming to go through and locate all the personal data. It also requires that companies know what systems they store customer or employee personal data on so that they know where to check when they receive a request and can deal with it efficiently.
To date, the largest fine imposed by a DPA for breach of the GDPR is the €50 million fine imposed against Alphabet’s Google by CNIL, the French DPA. This was imposed in relation to Google’s use of personal data to personalise adverts and the CNIL found that there was a lack of transparency, information and valid consent for the use of the data. The decision was made following complaints by None Of Your Business (noyb) and La Quadrature du Net (LQDN), both non-governmental organisations.
However, the Google fine is definitely an anomaly so far, as the fines imposed by other DPAs across the EU have generally been much lower.
GDPR influence on other jurisdictions
The influence of the GDPR seems to be spreading to countries outside the European Union (EU). The main elements having influence across global legislation are the GDPR’s guidance on data subject rights, data breaches and accountability of companies.
Various European countries outside the EU such as Norway, Switzerland, Liechtenstein and Iceland have aligned their data protection regulations with the GDPR.
Countries that want to do business with Europe, for example those in Africa and South-East Asia, are also increasingly implementing data protection regulations.
In India, the parliament are currently looking to implement a data protection law that is highly influenced by elements of the GDPR.
Brazil is set to implement its first General Data Protection Law, the “LGPD”, on 15th August 2020.
There is also a general trend towards countries implementing laws that provide guidance on international data exchange.