GDPR came into effect on the 25th May 2018. GDPR provides individuals and companies to have the appropriate policies, procedures and processes to protect personal data. All organisations must have a risk-based approach to data protection. GDPR requires organisations to implement appropriate technical and organisational measures and extends the given rights to individuals. Penalties for organisations who are not in compliance of GDPR can be severe and can go up to €20,000,000.00 or 4% of global turnover.
Whats happened since 25th May 2018???
It seems not a lot has happened since the introduction of GDPR but if you dig deeper you’ll find the various EU data commissioners have been inundated with data complaints.
- A total of 59430 report data breaches have been reported since 2018.
- 91 reported fines have been issued under GDPR.
- Most notifications reported by countries: Netherlands 15400, Germany 12600, UK 10600.
- Fewest notifications reported so far from countries: Cyprus 35, Iceland 25, Liechtenstein 15.
Some GDPR fines to date.
- France: €50 million
- Portugal: €400,000
- Poland: €220,000
- Germany: €80,000
- Austria: €4800
What about Ireland??
The Irish Data Commissioner reported 4740 valid data breaches since the introduction last May. 75% of these reported post 25th May. 4113 complaints have been received by the Irish Data Commission in 2018 – 70% received post May.
What types of breaches have been reported to the Irish Data Commissioner.
- 85% disclosure
- 5% paper lost/stolen
- 3% hacking
- 3% phishing
- 2% devices lost/stolen
- 1% Malware
- 1% inappropriate disposal of paper.
Currently the Irish Data Commission has 50+ open investigations. 17 investigations into multinational technology companies based in Ireland. 8 investigations into Facebook alone. the commission has increased its staff numbers in recent times to 135 and is still growing.
Key factors for organisations to note from the DPC.
- Report breaches on time (within 72 hours of breach)
- Contact data subjects (individuals or organisations) without delay.
- Have a Breach playbook (know what to do in case of a data breach)
- Train Your Employees (don’t leave it to one person)
- Retain records (wherever possible)
Brexit and Data Implications:
As we know Britain are due to exit the EU on the 31st October 2019. We know this date could change depending on the outcome of Leadership and Brexit talks. Lets say for this the UK leaves on the 31st October, what happens then?
Some possible scenarios:
- A no-deal Brexit
- Agree a new withdrawal agreement
- New common market 2.0 agreement
- New withdrawal agreement
What happens if there is a no-deal or hard Brexit?
- The UK will become a “third country”. A third country outside of the EEA or the European Economic Area
- Data transfers to a “third country” is allowed if the country is deemed to have adequate levels of data protection
- Organisations from “third countries” without adequate protection must adopt safeguards to transfer data from the EEA to a third country.
- Some appropriate safeguards are:
Binding corporate rules
Standard contractual clauses
Certification mechanisms or protections.
DPC recommendations in case of a NO-Deal Brexit
- Consider what personal data you are transferring.
- Irish organisations intending to transfer personal data to the UK post-Brexit will need to put in place safeguards to protect the data in the context of its transfer and processing.
- DPC recommends the use of “standard contractual clauses or SCC’s. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
- Monitor Your Data Protection Compliance
- When a data breach occurs…not if
- Implement SCC’s if transferring data to the UK
- Keep Up to Date and check the data protection commission website regularly: https://www.dataprotection.ie/
Image from rawpixel.com