It’s now just over a year since the General Data Protection Regulation (GDPR) came into force across Europe. The run up to the enforcement date of 25 May 2018 was full of drama: panic about multi-million pound fines for infringements and a flurry of (often unnecessary) emails requesting consent.

The aftermath has been somewhat less dramatic.

While the French equivalent of the Information Commissioner’s Office (ICO), CNIL, fined Google €50million for lack of transparency, other data protection authorities have levied much smaller fines, and the ICO has yet to issue a fine under GDPR.

That doesn’t mean the ICO isn’t taking action, though. In May, it issued an enforcement notice under GDPR to HMRC, requiring HMRC to delete biometric data it had recorded without providing sufficient information to data subjects. HMRC has 28 days from the date of the final enforcement notice to delete the records.

Data protection agencies across Europe are working through high volumes of data breach notifications from ‘offending’ organisations, as well as large numbers of complaints, typically focusing on lack of transparency and consent. Investigation of breaches takes time, so the slow start doesn’t mean we shouldn’t expect to see fines being issues in the future.

What should I be doing now?

Even those who met the 25 May 2018 deadline for compliance should not be complacent. Things move on, staff come and go, and interpretations change. Take time now to:

  1. Audit your policies and processes. Are they still fit for purpose?
  2. Review in particular your privacy policies to ensure they are sufficiently specific, in light of the high number of complaints focusing on transparency and consent.
  3. Offer refresher training to relevant staff, tailored to their specific use of and interaction with data.
  4. Ensure staff are clear on what to do if a breach happens. Given the limited reporting time, swift action is a must.

If you or your organisation require training on GDPR, don’t miss Central Law Training’s range of data protection training, including: 

If you're in Scotland, visit https://www.clt.scot/search.aspx?practice=DataProtection to see our range of available training.