So it’s begun. The GDPR has been in effect for more than a month. While that’s not really enough time to be able to gather meaningful data on what’s being done, we can certainly gain some insight and learn a bit from actions being taken by supervisory authorities like the UK’s Information Commissioner’s Office (ICO), France’s National Commission on Informatics and Liberty (CNIL) and the Austrian Data Protection Authority (DSB).
Across the board supervisory authorities have said they’ve seen a sharp increase in complaints, which indicates that individuals are becoming aware of their new rights under the GDPR and are beginning to exercise them. The CNIL said it’s seen a 50 percent increase in the number of complaints and the DSB said it had more than 100 complaints. The vast majority of these complaints at the moment appear to be against high profile companies like Facebook and Google, but that may change as individuals begin to exercise their rights more broadly.
They also all said that the number of breach notifications being reported by organisations has seen a substantial increase. The DSB said it had more than 59 breach notifications in the past month, representing an eight-fold increase over what it would normally see in a month. This is good news as it shows companies as well as individuals are taking the GDPR seriously.
But it’s not just individuals and companies that have been busy. The supervisory authorities have started to hand out fines.
In the UK, it seems the ICO has decided to go aggressively after firms that don’t respect their customers’ wishes. Recently, there have been several fines levied against companies that sent marketing emails to clients when they didn’t have the clients’ consent.
The ICO has issued some pretty detailed advice in relation to direct marketing. If your organisation does any direct marketing in the UK we strongly suggest you take the time to review it. You can find the advice here.
Additionally, the ICO has said you should reach out to it for clarification if you’re unclear. This is a case of it being better to ask permission than to beg for forgiveness as the ICO is being clear that it’s going to fine and not forgive.
In France, the CNIL issued a large fine of 250,000 euros to the Optical Center because it had insufficient database security in place (it was possible to access personal data on individuals via their website). The CNIL had actually informed the company of the problem in July of 2017, but by June 2018 the issue still hadn’t been addressed. Whereas in 2017 the CNIL didn’t have authority to do anything other than ask the company to remedy the issue, when the GDPR came into effect the CNIL had the authority to fine the company and it did.
Considering the actions taken by supervisory authorities so far, we can be pretty sure of what to do to stay on the right side of the law:
All four points above correspond to core functionality provided in GDPR365. Take a look today to check if you’ve got your assessments, documentation and processes in place, so you don’t become caught out like these unfortunate few.