This time last year many businesses were introducing new policies and training their staff, in readiness for the GDPR coming into effect on 25th May 2018. The European Commission has reported that during May 2018 ‘GDPR’ was searched more often on Google than American superstars Beyoncé and Kim Kardashian. Now that the initial flurry of activity – or panic in some quarters – has died down, what is the position as GDPR approaches its first birthday?
Most organisations already had experience of dealing with data subject access requests under the Data Protection Act 1998 (“DPA 1998”). It has been thought that the abolition of the £10 fee for submitting a request, together with other changes to enable requests to be made more easily, may have led to an increase in the number of requests made. Although there is no way of monitoring requests made nationally, our experience is that there has been little difference from the pre-GDPR days. However in February 2019 Nottinghamshire Police reported that 2018 saw a 22.57% increase in valid subject access requests from the previous year.
The new mandatory data breach reporting obligations were of concern to many last year. The Information Commissioner’s Office is believed to have received in the region of 500 reports per week by telephone in the weeks after the GDPR came into force.This has now reduced to around 400 a month. The ICO has a self-assessment tool and guidance available on its web site to assist in deciding whether or not a breach needs to be reported and a template notification form to use for reportable breaches.
One of the biggest causes of concern was the high level of possible fines, at the higher of 4% of annual global turnover or €20 million.It is of course early days, but the European Commission reports only 3 fines throughout Europe, although several high level cases are said to be ongoing. Here, the ICO continues enforcement of the now-repealed DPA 1998 but has yet to issue a monetary penalty notice for breach of the GDPR. The ICO has however issued more than 900 notices of intent to fine for failing to pay registration fees following expiry of notifications under the DPA 1998.
In both Ireland and the UK substantial funds have been made available to increase the headcount of the supervisory authorities for data protection. After a relatively quiet first year, organisations need to take this opportunity to review their experiences since the introduction of GDPR and make adjustments to their policies and procedures to ensure ongoing compliance.
CONTACT US
The regulatory team at Ramsdens Solicitors is experienced and focused in handling a variety of regulatory cases investigated and/or prosecuted by a range of regulatory authorities.
To discuss Regulatory issues, please either use the contact form on the right, email us at info@ramsdens.co.uk or call us on 01484 821 500 to speak to a member of our team.