It has been almost a year since the General Data Protection Regulation of the European Union (GDPR) became enforceable. During that time, news publishers reported various stories that largely related to the regulation and the sanction regime. In January 2019, for example, the world learned that the French data protection authority had imposed a fine of 50 million on CNIL for CNIL for "lack of transparency, inadequate information and lack of valid consent regarding personalization of advertisements" as reported by BBC News. A few months later, officials in the UK and Ireland told The Wall Street Journal that they expected to announce large fines for other organizations, starting in the summer of 2019.
Notwithstanding this coverage, the importance of GDPR's one-year anniversary goes beyond legal fines and fines. The European Data Protection Board (EDPB) confirmed this in its first summary report of the Regulation. This publication sheds light on how the EEA National Supervisory Authorities (SA & # 39; s) (the European Union 28, Iceland, Norway and Liechtenstein) worked together to consistently maintain the GDPR within the first year.
Now let's take a look at the main findings of this report.
Implementation at national level
The EDPB report showed that the VA & # 39; s of EEA reported a total of 206,326 cases in the first year of implementation of the GDPR. All these matters related to one of the three subjects. Almost half (94,622) dealt with complaints, while 64,684 of these reports concerned data breaches. The other cases were focused on "other" problems.
Within that period, the government closed slightly more than half (52 percent) of those cases.
GDPR determines that SA & # 39; s have different types of corrective authority that they can use with an offending data processor or controller. These rights include issuing warnings, disapproving reproaches, ordering the entity to bring its operations into compliance with the Regulation, and imposing fines if it does not. Since May 25, 2018, the 31 VA & # 39; s have used the latter regulatory measure by jointly imposing a total of 55,955,871 euros in administrative fines.
Better resources and powers of SA & # 39; s
In the past year, the SAs have increased their involvement to fulfill their growing enforcement powers. This level of increased activity was evident in the growth of many of these authorities' budgets and staffing needs. Twenty-six VAs, for example, saw an increase in the budget between 2018 and 2019. Looking ahead to the future, 17 VAs asked for an increase in the budget. Most of them were looking for a budget increase of 30-50 percent, but some asked 100 percent. However, almost none of the SAs received the requested amounts.
Cross-border and mutual assistance Cases are abundant
The first overview of EDPB makes it clear that VA & # 39; s work together to maintain GDPR. This cooperation has taken various forms since May 25, 2018. A shining example of such cooperation was the fact that 30 VA & # 39; s registered 281 cases with a cross-border element in the first year of enforcement of the Regulation. This type of business often requires SA & # 39; s to work together through mutual assistance, joint operations or cooperation under a special "One-Stop-Shop" mechanism.
Although there were no joint operations and only a few dozen copies in which the One-Stop-Shop mechanism came into effect, there were many examples of mutual aid in the first year of GDPR. Indeed, SA & # 39; s from 18 different countries made 444 requests for mutual assistance (formal and informal) during that period. The receiving SA sent its reply within 23 in 353 of those requests for mutual assistance.
Room for improvement
In its report, EDPB openly acknowledges that work still needs to be done on GDPR enforcement. Reflecting on the cooperation mechanism of the Regulation, the entity believes it could do more to streamline the efficiency of the IMI system. It is specifically about allocating more resources to authorities and possibly hiring more staff who can speak English.
External analysts believe that there is also room for improvement in GDPR in other ways. Dov Goldman, Director of Risk and Compliance at Panorays, believes that a crucial element of the regulation still needs to be addressed. As quoted by Dark Reading:
In addition to the complaints lodged against the obvious suspects such as Google, Facebook and Instagram, we have certainly seen a number of changes in the way in which companies guarantee the privacy of data. That being said, these improvements were primarily limited surface treatments and much less of the extensive & # 39; privacy by design & # 39; that the regulators had in mind.
It is currently unclear what this new phase can look like or when it will take effect. But these unknowns make this phase no less consistent. On the contrary, switching to the "privacy by design" phase is essential to realize how data security is much more than just protecting "users." The goal is to respect people by protecting those private elements that each person uniquely has. I want to be exposed.
Recognizing the importance of privacy by design, we can only wait and see what will happen next in the changing GDPR mandate.