There was a sense of urgency around the General Data Protection Regulation (GDPR) this time last year, almost reminiscent of the Y2K bug preparation. There were ads on national radio urging businesses to have their house in order and a feeling of dread when the word GDPR was mentioned. And then May 25th came and went, and similar to Jan 1st, 2000 – the world continued to spin.
One year later, it is fair to observe that while compliance with GDPR is not optional, a certain number of businesses are still not fully compliant or even totally trained. But the sense of urgency has disappeared, and businesses feel they have the space to breathe again and take stock.
Meanwhile, the Data Protection Commission office has been busy. They experienced an expected surge of complaints to the office due to the awareness campaign which led to a greater public consciousness of data protection issues and rights. Of the 2864 complaints received between May 2018 and Dec 2018, over half were attributed to Access Rights, Unfair Processing of Data and Disclosure.
Common consensus is that the 12 months post the launch of GDPR has been a period of settling in, with the Supervisory Authority deeming it necessary to issue some myth busters around GDPR. Amusingly, one such myth buster was regarding a hairdresser refusing to give details of a customer’s hair colour over the phone, requesting that the customer submit a formal request to the headquarters of the hairdresser’s business. Not being able to do something “because of GDPR” is becoming a common term to hear these days, with mixed views of what one can do.
However, on a more concerning note a case was highlighted to the commission regarding a paramedic who was called to a nursing home to attend to a resident that had become unconscious and needed medical attention. Upon seeking access to the residents’ medical history, nursing home staff had serious concerns about sharing it with the paramedic due to GDPR. Worryingly, this misinterpretation of the legislation could have had a more detrimental implication.
And the confusion continues it seems, with a statement released by the commissioner recently to clarify the situation around parents taking pictures of their children at school events… you can, by the way. Common sense prevails in a lot of instances but unfortunately a lack of training and understanding will lead to mistakes being made which could potentially lead to breaches of GDPR and fines to follow.
Human error by staff presents a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate those risks by driving data protection awareness throughout the organisation, particularly regarding new staff.
So where are these potential fines that we have been hearing about? Google is appealing a hefty fine of €50 million from the French Supervisory Authority for a breach of GDPR and Facebook continues to be under investigation by our own Data Commission over several breaches. Fines for GDPR breaches can go up to €20 million or 4% of a company global turnover, whichever is higher.
The Data Commission is increasing their staffing levels this year in order to “meet the demands of the tasks assigned under the GDPR and to deliver public value in what is an area of critical importance to society”.
The message is clear, increasing staffing levels and a softly softy approach working through the myths that surrounds GDPR in the first year; the honeymoon period must come to an end. In fairness, with a two-year lead in period it means that GDPR has been knocking around for 3 years at this stage… it’s only a matter of time.