The GDPR: A six-month review

The General Data Protection Regulation (GDPR) regulates the collection, use, and sharing of European Union (EU) personal data. “Personal data” has a broad definition, covering any information relating to an identified or identifiable individual.

The regulation affects any organization that processes European personal data, regardless of whether the organization maintains a presence in the EU, and it had companies around the globe scrambling to make practical sense of the requirements in an attempt to comply with the May 25, 2018 deadline, in an absence of clear direction from regulators. With a few months under our belt, regulators are beginning to shed light on various aspects of enforcement.

Observations so far

It’s been just over six months since the GDPR went into effect, and while we haven’t seen any fines in the neighborhood of the maximum €20 million or 4% of a company’s worldwide annual revenue, enforcement of the GDPR is in full swing. Here are some observations on GDPR enforcement so far:

• Data Protection Authorities (DPAs) are receiving large volumes of complaints, so just because you haven’t been contacted by a DPA yet doesn’t mean they don’t have a complaint sitting on their desk with your company’s name on it.
• DPAs are being proactive and conducting audits of companies for compliance with a variety of provisions under the GDPR, including data inventories, transparency, consent and cross-border transfers.
• Most of the DPAs have indicated that they are more interested in working with organizations to achieve GDPR compliance rather than trying to punish them, but will do so when the situation calls for it.
• Organizations that cooperate with their DPA have been given smaller fines and/or have been given time to fix their deficiencies before a fine is assessed.
• Organizations that do not cooperate with their DPA or try to hide what they’re doing have been given larger fines and have not been given time to fix their deficiencies before a fine is assessed.

What does this mean for employers?

GDPR compliance is an ongoing process. While many organizations focused on complying with one law in the months leading up to May 25, compliance is broader than one law – think privacy compliance – and organizations should take the approach of operationalizing the GDPR into their existing privacy programs.

Organizations will have to continue building on their privacy programs as more countries (and even U.S. states like California) upgrade their existing privacy laws or introduce them for the first time. 

What to expect in 2019

Several EU regulators attended the IAPP Europe Data Protection Congress in Belgium at the end of November, and indicated that organizations should not expect any big fines in 2018, but they will come in 2019. Some of the cases they are working on are cross-border cases that will take several months to resolve. 

We’re also expecting the European Data Protection Board (EDPB) and the individual Member State DPAs to issue more guidance to help organizations comply with the GDPR. 

Disclaimer: The information provided in this post is provided for informational purposes only and should not be relied upon or construed as legal advice and does not create an attorney-client relationship. You should review with your legal advisors how the laws identified in this post may apply to your specific situation.