Taking stock

A year since its introduction, Oliver Yaros evaluates the impact of the European data protection regulation

In 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force. In the initial months EU data protection authorities (DPA) allowed companies time to improve their compliance, they carried out exploratory investigations and provided recommendations. The DPAs have since increased enforcement and investigations.

DPAs have resorted to indefinite or temporary suspension as a means of enforcement. There have been a few cases of suspensions, the most notable case is of the sanction on Dutch tax authorities by the Dutch data protection officer (DPO) for the use of national identification numbers as part of value added tax (VAT) return numbers for self-employed individuals. According to the Dutch DPA, using the national identification number heightened the risk of identity fraud and lacked any legal basis. As a result, from 1 January 2020, the processing of national identification numbers for the purposes of VAT has been prohibited.

In other cases, Malta’s DPO ordered national land register to temporarily suspend processing for the authority to investigate the land register’s response to a personal data breach. A Canadian technology and political consultancy company was ordered by the UK DPO to erase all personal data it held belonging to UK individuals.

There have been 446 cross-border investigations commenced by DPAs in the first year, either on their own initiative or following complaints by individuals.

A fundamental element of GDPR is the ability of DPAs to order substantial fines for non-compliance, which can be up to 4% of an organization’s annual global turnover in the financial year preceding the breach. To date, while there have been fines under the GDPR, significant fines have been rare. Just over €55 million (US$62 million) in fines were issued by DPAs in the first nine months of the GDPR.

Portugal’s DPA ordered a €400,000 fine on a hospital after patient records were accessible by users who were not entitled to access them, using accounts in the names of doctors not practising at the hospital. A German DPA, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, imposed a €20,000 fine on a social media chat platform for its data storage practices after 800,000 email addresses and user passwords were compromised after being stored in an accessible format. The low level of fine was due to the social media platform’s quick response and remediation of the issue following its discovery.