GDPR enforcement begins – fines from the ICO and CNIL

So it’s begun. The GDPR has been in effect for more than a month. While that’s not really enough time to be able to gather meaningful data on what’s being done, we can certainly gain some insight and learn a bit from actions being taken by supervisory authorities like the UK’s Information Commissioner’s Office (ICO), France’s National Commission on Informatics and Liberty (CNIL) and the Austrian Data Protection Authority (DSB).

Increase in awareness and complaints

Across the board supervisory authorities have said they’ve seen a sharp increase in complaints, which indicates that individuals are becoming aware of their new rights under the GDPR and are beginning to exercise them. The CNIL said it’s seen a 50 percent increase in the number of complaints and the DSB said it had more than 100 complaints. The vast majority of these complaints at the moment appear to be against high profile companies like Facebook and Google, but that may change as individuals begin to exercise their rights more broadly. They also all said that the number of breach notifications being reported by organisations has seen a substantial increase. The DSB said it had more than 59 breach notifications in the past month, representing an eight-fold increase over what it would normally see in a month. This is good news as it shows companies as well as individuals are taking the GDPR seriously. But it’s not just individuals and companies that have been busy. The supervisory authorities have started to hand out fines.

Reasons for fines already issued

In the UK, it seems the ICO has decided to go aggressively after firms that don’t respect their customers’ wishes. Recently, there have been several fines levied against companies that sent marketing emails to clients when they didn’t have the clients’ consent.
    • BT was fined £77,000 for sending 5 million spam emails promoting charity initiatives.
    • Flybe was fined £70,000 for sending 3.3 million emails to people who had deliberately told them they didn’t want to receive emails.
    • Honda was fined £13,000 for sending 289,790 emails for doing the same thing.
The ICO has issued some pretty detailed advice in relation to direct marketing. If your organisation does any direct marketing in the UK we strongly suggest you take the time to review it. You can find the advice here. Additionally, the ICO has said you should reach out to it for clarification if you’re unclear. This is a case of it being better to ask permission than to beg for forgiveness as the ICO is being clear that it’s going to fine and not forgive. In France, the CNIL issued a large fine of 250,000 euros to the Optical Center because it had insufficient database security in place (it was possible to access personal data on individuals via their website). The CNIL had actually informed the company of the problem in July of 2017, but by June 2018 the issue still hadn’t been addressed. Whereas in 2017 the CNIL didn’t have authority to do anything other than ask the company to remedy the issue, when the GDPR came into effect the CNIL had the authority to fine the company and it did.

Initial lessons already clear

Considering the actions taken by supervisory authorities so far, we can be pretty sure of what to do to stay on the right side of the law:
  1. Make sure your direct marketing – especially emailing – practices are in line with the GDPR and the ICO’s requirements.
  2. Make sure you close any known security issues and make sure you’ve done a thorough security review of your site, and documented the issues you’ve found and what you’ve done to resolve them.
  3. Make sure you have a means to respond to data subject access requests, so that individuals come to you first instead of complaining immediately to their supervisory authority.
  4. Make sure you have a process in place to record, assess and report breaches to your supervisory authority.
All four points above correspond to core functionality provided in GDPR365. Take a look today to check if you’ve got your assessments, documentation and processes in place, so you don’t become caught out like these unfortunate few.