It’s the question everyone in data protection circles has been asking for the last six months: What happens on May 26? With the General Data Protection Regulation finally coming into force on May 25, people are curious what enforcement will look like. Certainly, the EU and members states take privacy and data protection seriously, but, to date, there have been a limited number of enforcement actions.
Some would argue this is because many countries neglected to give their data protection laws any enforcement teeth, and that may be part of the reason we now have the GDPR. But the GDPR has done much more than simply give data protection authorities bigger sticks to wield, it has also provided new data subject rights, new obligations for data breach notification, and lots of other operational issues that organizations may be struggling to deal with.
Will data protection authorities (DPAs) expect everyone to be up to speed on day one? Will they be handing out fines immediately? Will there be many fines? Will the fines be at the outside edge of the DPAs’ fining authority?
In short: Not likely. And how do I know? The DPAs said so.
As the head of an organization that hosts privacy and data protection conferences around the globe, I’ve had the pleasure to listen to many of Europe’s leading data protection authorities speak about their enforcement priorities. Thus, I can offer some advice for nervous organizations eyeing May 26 and knowing they may not have everything totally buttoned up.
First, do something. Show the effort. Even if you’re not finished preparing for the GDPR, French DPA Isabelle Falque-Pierrotin has said, “this is not a problem. This is a learning curve and we will take into account, of course, that this is a learning curve.” However, she said at the same time, it’s important that you “start today, not tomorrow. Today.”
If a regulator comes calling, and you can demonstrate that you’ve started down the path, that will go a long way.
Second, get your privacy notice updated and in order. Tell people exactly what you’re doing with their data and make sure you let them know their rights, just as the GDPR outlines. “Transparency is going to be a key enforcement priority,” I’ve heard Irish DPA Helen Dixon say. “We’re starting with transparency because we think it’s key. The exercise of rights simply can’t happen if there hasn’t been transparency.”
If you’re collecting data and doing something with it that’s not transparent to your customers, that’s not going to go well for you. And, if you’re legally required to have a data protection officer, make sure you name one and post the details of their contact information.
Third, make sure you communicate. Some of these problems are really hard to solve. If you’ve got an issue, don’t pretend it doesn’t exist. Don’t hope no one notices. U.K. DPA Elizabeth Denham has been very explicit about this: “Report to us, engage with us,” she said at the recent Data Protection Intensive conference in London. “Show us your effective accountability measures, and if you do, that’s going to be a really important factor when we consider any regulatory action.”
While not every EU data protection authority is equally collaborative, the GDPR now brings the idea of consultation into law.
All of that said, you certainly shouldn’t continue business as usual and hope for the best. “There are no grace periods,” said Austrian DPA and Article 29 Working Party Chair Andrea Jelinek, “because the grace period was already two years. You had two years to look at your operations and what you have to change.”
Echoing that sentiment was Dixon: “There will be fines, and they will be significant. … I think it is quite clear that when we do identify an infringement that’s of the gravity, duration, and scope that is serious, then we are obliged considerably to administer an administrative fine.”
Denham agreed as well: “Hefty fines can and will be levied on those organizations that persistently, deliberately, negligently flout the law.”
There will be warnings. There will investigations. There will be fines. But organizations making a good faith effort should be less of a focus for enforcement agencies. For now.
Trevor Hughes is president and CEO of the International Association of Privacy Professionals (IAPP).