The 25th of May 2018 has come and gone and most people are asking, “what about all the massive fines we were expecting to hear about?” or, “the GDPR was just another Y2K, there was a lot of hype but we’ve yet to hear of any enforcements, planes didn’t fall out of the sky” etc.
Be warned, just because we haven’t heard of enforcements and fines yet, doesn’t mean they aren’t coming. An interesting article reported by the IAPP, based on feedback from Data Protection Authorities (DPAs) and rights groups, states that complaints and breaches reported to the DPAs/Supervisor Authorities have to go through a process which can take months before an enforcement is issued, with some DPAs stating they could take a minimum of six months from when the event is reported to when the fine or enforcement is issued. [see full article here].
In July, the Irish Data Protection Commission reported a significant increase in the number of data breach notifications they received since the GDPR came into effect [see here]. This isn’t surprising, given that the Accountability framework in the GDPR requires data controllers to report data breaches to the DPC within 72 hours of becoming aware of them. Once received, the DPAs have to investigate and respond to each one.
So in applying the minimum six month wait time to these, the earliest we should be expecting to get news of fines and other enforcements such as an order to cease all processing, would be Dec 2018 timeframe.
Ensuring we can demonstrate compliant processes and put appropriate safeguards and technical measures in place to protect us from the most common data breaches reported by the DPAs, such as sending data to the wrong recipients, is the action we need to take if we haven’t already, because the GDPR is the law and unlike Y2K it isn’t going away.
To find out how Wizuda can help you avoid some of the most common data breaches – see here.