GDPR’s first birthday in six lessons (Altius)
Author: Gerrit Vandendriessche (Altius)
Publication date: 04/07/2019
The general data protection regulation (GDPR) just celebrated its first anniversary. Although it seems that EU businesses and individuals are well aware of its existence, some controllers and processors are still not entirely GDPR compliant. Others that already underwent GDPR audit, must realize that they need to continuously keep monitoring their GDPR compliance.
Although Belgium has been late in implementing and enforcing GDPR, it is expected that the freshly appointed supervisory authority will tighten the GDPR screws in the coming months.
On 26 May 2019, the EU celebrated the first anniversary of the application of the General Data Protection Regulation (GDPR).
A recent report published by the European Commission shows how GDPR got into the lives of the European citizens and businesses:
- 67% of the Europeans have heard of GDPR
- 57% of Europeans know that they can file a complaint with a local supervisory authority
- Almost 90.000 data breach notifications were filed throughout the EU
- About 450 investigations were conducted by supervisory authorities (of which 2/3 was initiated on the basis of complaints by individuals)
- Several fines were imposed ranging from EUR 2.000 to 50 million
From another study conducted by IAPP-EY, it appears that businesses still struggle with GDPR compliance:
- Less than 50% of the respondents to the study said they were fully GDPR compliant
- Almost 50% said that they were partially compliant
- Some respondents even said they are not compliant at all and/or will never be able to comply with GDPR
- The privacy maturity of organisations did not increase over the last 3 years
GDPR implementation in Belgium
Belgium lagged behind in implementing GDPR. The local GDPR act was only finalised after the GDPR deadline of 26 May 2018 expired and the new members of the Belgian supervisory authority were only appointed in April 2019 (almost one year after GDPR’s entry into force). Hence, GDPR enforcement took off very slowly in Belgium.
For these reasons, Belgium did not have its major GDPR court cases, except for the litigation between the supervisory authority and facebook. This case was introduced prior to the entry into force of GDPR and led to a first instance decision ordering facebook to cease the on-line tracking of facebook and non-facebook users. In appeal, however, the Brussels court of appeal partially overturned the first decision and referred several preliminary questions regarding the one-stop shop principle under GDPR to the European Court of Justice.
The freshly appointed Belgian supervisory authority did not linger around for a long time and, in the first month of its appointment, fined a mayor EUR 2.000 because he used e-mail addresses of building permit applicants to distribute elections propaganda.
6 lessons after 1 year of GDPR
Lesson n° 1: GDPR is not a one-off exercise
GDPR is not over when the GDPR audit is done and all GDPR related documents are drafted.
GDPR requires a continuous exercise of checking, monitoring and evaluating elements that can have an impact on data processing (art. 24 GDPR): new types of processing, new categories of data, new processors, new recipients, new risks, new technology, new processing locations, data breaches etc. Also, a number of GDPR concepts and obligations still await guidance and recommendation from EU and local authorities.
Every controller and processor must continuously monitor these changes and adapt its GDPR compliance accordingly.
Lesson n° 2: data is personal unless the contrary is proven
Many controllers think they are not subject to GDPR because they process anonymous data.
The definition of anonymous data under GDPR is strict and only applies to data of which the link between the data set and the data subject is irreversibly broken. Getting rid of direct identifiers in a given data set (eg deleting name but keeping other data elements) does not automatically result in anonymous data. Also, encryption, pseudonimization and – according to the Working Party 29 – even hashing of personal data does not result in anonymous data.
Hence, when data of individuals are being processed and it is claimed that only anonymous data are processed, carefully verify whether the link between data and the individual is irreversibly broken.
Lesson n° 3: do not consider “consent” as joker or passkey
Many organisations amply rely on consent as processing ground for each and every processing (art. 6.1.a and art. 9.2.a GDPR).
Although consent may seem to be a simple and safe choice, in reality it is not. GDPR imposes harsh conditions for a consent to be valid: free, specific, informed, unambiguous, affirmative, written, withdrawable and demonstrable (art. 4.11 and 7 GDPR). Very often, at least one of these cumulative conditions is not complied with, resulting in an invalid consent and thus unlawful processing.
Consent is one of the available processing grounds, but it is not the only one (art. 6.1.b to 6.1.f and art. 9.2.b to 9.2.j GDPR). Make sure to verify whether other processing grounds are not available and better suited for the processing at hand.
Data subjects are entitled to receive information that is concise, transparent and intelligible. Controllers must use clear and plain language (art. 12.1 GDPR).
Many privacy policies are long, opaque, difficult to understand and stuffed with legalese instead of plain language. Such policies are likely to be in breach of GDPR. In addition, controllers regularly try to “oversell” their privacy friendliness and GDPR adherence by adding “we are so GDPR great” language. This overselling may turn against the controller because it raises the impression that he will do more than what GDPR requires, which is often not the case.
It is recommended to keep privacy policies short, to the point and, if they are longer, well structured and layered. We are not in favour of adding statements implying a level of compliance that goes beyond what GDPR requires.
Lesson n° 5: EU-wide rule, local implementation
Although GDPR is a regulation which directly applies in every EU member state, its local implementation (i.e. local deviations allowed by GDPR) and interpretation can surprisingly vary among EU member states. Very often, additional local rules apply on top of GDPR (CCTV, image rights, do-not-call-me-list etc.).
Make sure that any EU wide data processing is checked by local data protection professionals.
Lesson n° 6: avoid triggering complaints
2/3 of the data protection complaints are triggered by individuals. The latter are extremely sensitive about e-mail marketing, telemarketing and CCTV.
To avoid that individuals forward your newsletter to the supervisory authority as a complaint, make sure you have your opt-ins and opt-outs well set and respect them at all times. Do not call persons for commercial purposes without checking the do-not-call-me list.