So it’s begun. The GDPR has been in effect for more than a month. While that’s not really enough time to be able to gather meaningful data on what’s being done, we can certainly gain some insight and learn a bit from actions being taken by supervisory authorities like the UK’s Information Commissioner’s Office (ICO), France’s National Commission on Informatics and Liberty (CNIL) and the Austrian Data Protection Authority (DSB).
Increase in awareness and complaintsAcross the board supervisory authorities have said they’ve seen a sharp increase in complaints, which indicates that individuals are becoming aware of their new rights under the GDPR and are beginning to exercise them. The CNIL said it’s seen a 50 percent increase in the number of complaints and the DSB said it had more than 100 complaints. The vast majority of these complaints at the moment appear to be against high profile companies like Facebook and Google, but that may change as individuals begin to exercise their rights more broadly. They also all said that the number of breach notifications being reported by organisations has seen a substantial increase. The DSB said it had more than 59 breach notifications in the past month, representing an eight-fold increase over what it would normally see in a month. This is good news as it shows companies as well as individuals are taking the GDPR seriously. But it’s not just individuals and companies that have been busy. The supervisory authorities have started to hand out fines.
Reasons for fines already issuedIn the UK, it seems the ICO has decided to go aggressively after firms that don’t respect their customers’ wishes. Recently, there have been several fines levied against companies that sent marketing emails to clients when they didn’t have the clients’ consent.
- BT was fined £77,000 for sending 5 million spam emails promoting charity initiatives.
- Flybe was fined £70,000 for sending 3.3 million emails to people who had deliberately told them they didn’t want to receive emails.
- Honda was fined £13,000 for sending 289,790 emails for doing the same thing.
Initial lessons already clearConsidering the actions taken by supervisory authorities so far, we can be pretty sure of what to do to stay on the right side of the law:
- Make sure your direct marketing – especially emailing – practices are in line with the GDPR and the ICO’s requirements.
- Make sure you close any known security issues and make sure you’ve done a thorough security review of your site, and documented the issues you’ve found and what you’ve done to resolve them.
- Make sure you have a means to respond to data subject access requests, so that individuals come to you first instead of complaining immediately to their supervisory authority.
- Make sure you have a process in place to record, assess and report breaches to your supervisory authority.