In the wake of the Global Data Protection Regulation (GDPR), the biggest shake-up of data privacy laws in the past decades currently marking over a year from its enforcement on 25.05.2018, we started witnessing how data protection authorities (DPAs) use their entrusted powers of investigation and enforcement for ensuring compliance with the GDPR.
A high-profile example of enforcement activities that have recently taken place is the French DPAs’ imposition of the $57 million fine to Google for GDPR violations, particularly for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements.In Germany, the highest fine for GDPR violation to date is illustrated by the Baden-Wurttemberg DPA’s imposition of a €80,000 to a business, for lack of internal controls in relation to health data on the internet. In Cyprus, the Data Protection Commissioner has recently fined a State Hospital with €5,000 further to a patient’s complaint for the Hospital’s failure to provide access to her medical file, whereas a newspaper was also fined with a €10,000 for unlawful disclosure of the names and pictures of two police officers.
Two significant investigative tools that the DPAs have at their disposal and which they seem to be ready and willing to use are dawn raids and audits. In fact, dawn raids, which are unannounced, compulsory investigations conducted in response to suspected violations, complaints or whistle-blowing, essentially grant to DPAs –under certain circumstances- access to premises of businesses processing personal data; dawn raids have already taken place in the UK and are expected to be widely-spread across the EU. Audits are an increasingly significant weapon in DPAs’ armour, allowing DPAs to assess whether a processor or controller of personal data has effective controls, policies and procedures in place, to support the fulfillment of obligations under the GDPR. Notably, audits can either be consensual –at the request of a controller of processor of data- or compulsory. German DPAs conducted random GDPR audits at 50 companies during summer 2018 by sending comprehensive questionnaires to a reported number of companies, assessing their overall GDPR compliance.
The use of the aforesaid mechanisms is expected to rapidly increase due to the mandatory reporting of data breaches, pursuant to the GDPR. Besides, due to the numerous investigations that do take place, even behind the scenes, we shall expect to see much more, headline-grabbing results of the DPAs’ enforcement activities in the near future.
In the GDPR era, the indisputable significance of having effective data protection mechanisms in place is clearly illustrated from the above recent developments in DPAs’ enforcement activities. Given that data protection forms part of our law firm’s practice areas, we would be glad to provide our clients with our essential services on data protection, which will fully equip processors and/or controllers of personal data to effectively face potential dawn raids, audits, investigations and other enforcement activities of DPAs.
For further information on the GDPR, please refer to our other publication https://www.pirilides.com/en/publications/the-new-data-protection-regulation/ppp-301/177/.