This is the first of a weekly post where I will try to highlight whatever interesting happened, related to data protection and my thoughts on it.
There is often a lag between the passing of a law and when it begins to be enforced. We’ve seen this with GDPR. Its clauses need to be clarified. The supervisory authorities need to staff up and get funding before they can adequately enforce it. Individuals or groups need to bring to cases to court to clarify the interpretations. It all takes a lot of time. So far, according to Privacy Affaires 352 fines have been issued.
One of the more interesting developments this week is that 3rd parties are beginning to get more vocal and are starting to pressure the Supervisory Authorities to actually enforce the data protection regulations. This pressure from watch dogs may lead to more aggressive enforcement
In the UK, Which? asked ministers to activate a clause in the Data Protection Act that would allow them to sue companies on behalf of data breach victims (link). While the ICO has imposed fines on some large business, most of them have yet to be levied. If these clauses are activated, collective redress regime would give the regulation a lot more teeth in the country. While a single individual is easy to brush aside a group of impacted individuals is not.
In Ireland, the Irish Council for Civil Liberties pressured the Data Protection Commission to take action against the ad-targeting industry. Real-Time Bidding (RTB) platforms like Google’s Ads allow ad buyers to target individuals based upon health, sexuality, politics or other sensitive category personal data that under the GDPR requires a specific lawful basis for processing usually explicit consent. Given the size of the Internet advertising marketplace and the power of the firms involved the authorities have been treading slowly. Could it be that mounting external pressure form third party organisations can get them to move toward actually enforcing the regulation?
COVID has caused more individuals to work from home. As a result, people are undoubtedly using work laptops for personal browsing and to run non-work applications. They’re also using personal devices to access corporate data. This means that organisations need to have work from home policies and they need to train their employees on these policies,GDPR365 provides companies with a GDPR regulatory management plan using modern automated tools to make it easy to draft and distribute these policies.