The Data Protection Commissioners and the Data Protection Directorates in all EU countries are issuing guidance, frequently followed by some thought-provoking and practical issues on the critical GDPR articles where GDPR has a significant impact on, e.g. FCPA compliance programs, third-party due diligence, DPIA’s or the lack of GDPR enforcement actions in some of the GDPR related areas.
The sum of the above attention to GDPR compliance can in many ways be compared to the concern and commotion during the Y2K period with several uncertainties. The senior management and board of directors’ impatience with the claimed lack of GDPR enforcement activities and actions in many ways are often unwarranted. There is a lot of activity underway and that is documented by the fact that most oversight authorities received a few complaints from the Data Subjects.
With only four months since GDPR went into effect, the Irish Data Protection Commission (DPC) received more than 2,000 complaints and inquiries from data subjects and NGOs. This is a significant increase over the number of complaints that the DPC had received prior to GDPR. It is hoped that most of the complaints will be resolved in an amicable way between the controllers, processors and data subjects with some facilitation from the DPC.
The DPC has about 80 cases in various stages. About half of them concern social media, while the rest cover various industries from aviation, to engineering, to legal, etc. These cases arise from complaints brought by data subject and NGOs. The DPC may also initiate so-called “own volition inquiries.” There are no “secret investigations” so the subjects of pending investigations would know if they are being investigated.
A long-life cycle for enforcement actions is due to several factors. The DPC is careful to apply its supervisory and enforcement powers with impartiality, fairness, transparency and in accordance with due process and fair procedures as required by the Irish Data Protection Act 2018. On a practical level, the DPC strives to make sure that any of its enforcement actions are unimpeachable in court.
Settlement of a case is the last step in the process. Although the DPC may speak publicly about a case even before the adjudication, it will do so rarely and very judiciously as happened recently with the Facebook breach. The DPC may choose from a number of enforcement tools: a warning, reprimand, temporary or permanent prohibition on processing or data transfer, and ultimately an administrative fine. Although not discussed during the event, we note that the Data Protection Act 2018 also provides for jail time for especially egregious violations.
It is currently unclear how Brexit will impact personal data flows to the United Kingdom. There is a possibility that if there is a no-deal Brexit, the UK would immediately become a “third country” under GDPR requiring some transfer mechanism for data flows between the EU and the UK because any adequacy decision by the EU would take time and is not guaranteed. Any companies that relied on the UK as a “one-stop shop” for GDPR purposes would need to find a new EU jurisdiction for their main establishment. One overall takeaway from the event is that Ireland is eager to be the destination of choice for companies looking for a new EU home. This was highlighted by the fact that the event was co-sponsored by IDA Ireland, an Irish government agency responsible for attracting and retaining foreign direct investments.
Among several practical topics and tongue-in-cheek are several examples of unintended consequences that were apparently overlooked by GDPR. These include Article 10’s prohibition on processing personal criminal background information, which TRACE has flagged as potentially hindering anti-bribery due diligence. He struck an optimistic note that the Irish law provided for a solution to this issue.
The example from Sweden
The first Swedish GDPR oversight review of more than 400 companies revealed significant deficiencies in nearly 25% of the trade unions selected for control.
According to the Data Protection Ordinance, GDPR, all authorities and certain companies are obliged to designate a data protection agent. The Ombud shall verify that its own organization complies with regulations and internal control documents on data protection issues and inform and advise internally.
It is a very important factor in raising awareness and compliance with GDPR, which is why we prioritized this as the first GDPR oversight review.
The Data Inspectorate has carried out a broad review of more than 400 authorities and companies, investigating whether they appointed a data protection officer and, if they have communicated this to the Data Inspectorate, which they must do.
The audit shows that most of the audited organizations have notified and appointed a data protection representative in time. However, some industries are negative. Of the 51 unions included in the sample, nearly 25 per cent had shortcomings.