May 25 marked the third anniversary of the EU General Data Protection Regulation (GDPR) coming into force. In the tradition of marking such milestones, we’ve spotted some significant trends that emerged during the past year.
The first is that some clear patterns have emerged when it comes to enforcement decisions. Although the GDPR has 99 articles, the decisions from data protection authorities around Europe mainly centre on four key areas.
Lack of legal basis for processing data
The first, and by some distance the largest, of these areas is a lack of sufficient legal basis for processing. In other words, this is when an organisation doesn’t have permission to process that data. So far, authorities have imposed more than 200 fines totalling over €160 million for this infringement.
The second most common area for enforcement, albeit by some distance, is a lack of sufficient information security. With the Health Service Executive currently in the grip of a major ransomware incident, cybersecurity is a prominent issue for the public, as well as boards of directors and management.
Non-compliance with GDPR’s transparency principle
The third most common reason for enforcement decisions is a lack of transparency under the principles of GDPR. Simply put, this is where organisations don’t tell people clearly enough what data they are gathering and for what purpose.
The fourth and final source of fines is for not fulfilling the rights of data subjects, in particular the right to to have information deleted.
Enforcement is increasing at a faster pace
In 2020, there was a fundamental shift in the number and value of fines across Europe, as data from the GDPR Enforcement Tracker shows. Almost 50% of the total number of fines were issued in 2020. If last year’s trend continues, we should expect to see this number grow again in 2021.
At the same time, another development throughout last year is that organisations are appealing against decisions more than before. By kicking this back to their data protection authority, they are hoping to either reduce or possibly even remove fines.
The last trend to note is that GDPR hasn’t yet fully harmonised data protection regulations across Europe as intended. Germany, Italy, France, the UK, and Spain contributed to the majority of fines in terms of value and volume. Still, all jurisdictions increased enforcement decisions in 2020. For a summary of these trends and fines, you can look at this slide put together by our Data Protection Consultant, Tom Knierim.
GDPR is a large piece of legislation and it can be tough for SMEs and startups to navigate. But based on the developments we have covered here, it’s possible to narrow the field a little. By paying attention to what their DPA deems to be the most important parts of GDPR, judging by the fines, smaller firms and organisations can focus their compliance programmes more effectively.
In our next blog, we’ll look at the latest developments in the Schrems II case and what this means for EU-US data transfers.