Monday, May 27, 2019
As published on www.bizplus.ie: In the lead up to commencement of the GDPR (General Data Protection Regulation) on 25th May 2018, there was a mix of concern, panic and scepticism about the advent of a new era for data privacy. By 25th May 2018, most people had heard of GDPR, some understood its key focus and others dismissed it or paid very little attention – possibly believing it was all hype.
“One year on the statistics tell us that indeed the Regulation has made a difference.” That’s according to Eoghan Doyle, partner specialising in corporate, commercial and data protection law.
Eoghan says: “It has made a difference in the awareness of individuals of their rights when it comes to the use of their personal data and for businesses and government bodies it has made a difference in the way they address risk. Where data protection might have once been put to the back of the line in terms of risk priorities, companies recognise that their customers place real value in protecting their data. Consequently, other businesses want to know that their counterpart will not cause them a liability issue or a complaint to the regulator.
What we are seeing is that compliance with GDPR can help or hinder commercial opportunities – depending on how an organisation is dealing with it. If they are not prepared when it comes to complying with the law, projects are stalled, contracts are lost, and the risk of complaints is increased.”
More informed customers and regulatory teeth
The statistics reveal a growing trend for individuals making complaints, awareness of companies of their obligations in reporting breaches (although the data tells us that breaches have been over reported – i.e. they did not need to be reported) and the impact in monetary terms that the Regulation can have on business.
The largest fine imposed to date was against Google and imposed by the French supervisory authority, CNIL. The case involved breaches of the rules on transparency, inadequate information provided to service users and failure to obtain valid consent regarding ad personalisation.
Challenges in practice
In our practice, the challenges we see organisations facing include: negotiation of contractual liabilities when it comes to breaches of GDPR, demonstrating compliance to investors or a buyer of a business, and effecting change in day to day practices in a way that is privacy focused.
Data protection and Brexit has also been a key challenge for organisations and will continue to be so for the foreseeable future. If a no-deal Brexit occurs, the UK would become a third country for the purposes of the GDPR, thus requiring extra protections to be taken in order to transfer personal data to the UK. The most common solution to this has been to plan to implement the EU Commission approved Standard Contractual Clauses (SCCs) which implement contractual safeguards between data exporters and data importers where personal data is being transferred outside the EEA. The first step for any business however is to draw up a list of your suppliers or companies you deal with in the UK, identify the data that is transferring and assess whether this should continue. If the answer is yes, you should start the process of reviewing contracts and putting in place appropriate safeguards for a no-deal scenario.
While the level of potential fines grabbed most of the headlines in the lead up to 25 May 2018, the GDPR was not brought into being to just impose fines on businesses. The main goal of the Regulation is to protect individuals’ privacy rights, empower citizens to take meaningful action and where appropriate, hold companies to account where they cross the line. The reality is, every complaint referred to above is capable of leading to a fine or take up key personnel time in dealing with it. Organisations want to avoid this, and this is evident in the time and effort we see being put in by companies to protect them and reduce the likelihood of a complaint being made against them.
The statistics clearly demonstrate that there is greater awareness of data protection rights since GDPR has come into effect and what is more, citizens are prepared to take action and regulators are tooled up to follow through on complaints – the Irish DPC’s funding has risen from €1.7m in 2013 to €11.7m in 2018 and during the same period staff numbers have grown from 30 to 110 which is expected to increase even more. At the end of 2018, the DPC had 15 live investigations into big tech companies, now at 19 just this week, it was confirmed that an investigation is underway by the DPC into Google for its online advertising business model and what is known as “real time bidding” of users’ personal data (where your data is traded in an online marketplace as companies compete to get your attention).
All the indicators are that there is an insatiable appetite for businesses to monetise our personal data – regardless of the rules – while at the same time individuals are increasingly exercised about their rights and they, along with the regulators, are taking action. The two cannot always co-exist. So, while the GDPR was not a revolution in and of itself, but rather it built on an already existing privacy framework, it most certainly has changed attitudes and behaviours – and in that regard, it is absolutely working.
For more on this topic, please contact Eoghan Doyle.