Enough time has passed since the General Data Protection Regulation (GDPR) came into effect, allowing GDPR-relevant people whose personal data is being collected, held or processed time to exercise their rights and clear their inboxes of privacy-update emails. For Data Protection Authorities (DPAs), the past few months have yielded a list of companies suspected of not meeting GDPR-mandated requirements, primarily due to data-subject complaints, data-breach violations by the data controller and data-breach violations by subprocessors. Being placed on the investigation list is a fear for global companies because of the potential to incur very strict fines and the risk of a negative impact on the company’s reputation.
The data-subject rights mandated by GDPR expose how companies are able to eradicate, amend and summarize specified personal information while also providing services tailored to data subjects who do not authorize their consent. If a data subject decides to exercise his or her rights and the company cannot meet the GDPR requirements, the company is in violation and may be placed under investigation.
Besides the failure to fulfill requests for data-subject rights, companies face the threat of DPA investigation when the data controller fails to notify the correct supervisory authority, or the data processor fails to notify the respective data controller, within 72 hours of validating a data breach. This issue is more widespread than one might imagine, as over 1,100 failure-to-notify alerts and data-subject complaints were reported to the U.K. information commissioner’s office during just the first few weeks GDPR was in effect.
The EU member-state report noted that Ireland received the highest number of criticisms, with 547 data breaches and 386 complaints. Sweden, by contrast, received only two complaints. (The discrepancy in the number of reported complaints each EU state receives is dependent on factors such as citizen awareness and perception, resource availability, and even method of complaint.)
In addition to providing data subjects the right to file a complaint with a DPA, GDPR offers the private right to action, which includes enacting class-action lawsuits against corporations, a method of exercising rights that was not previously available. Allowing data subjects to bypass the DPA and develop a group lawsuit significantly increases the impact of one complaint and creates power in numbers.
As time passes and the novelty of the regulation subsides, global companies will be able to further gauge the necessity of making preparations and taking precautions, recognize the primary violation channels, and realize what it will take to meet GDPR requirements going forward.
Tap into Protiviti’s GDPR resources and bookmark the page for future updates.