Article on GDPR

GDPR

Writing in this month’s Parchment magazine, Sarah Reynolds urges continued vigilance among senior management and employees with respect to their GDPR obligations. Ongoing monitoring of GDPR processes and procedures will be critical to the ability of organisations to comply with their GDPR obligations. Sarah Reynolds urges these organisations to view 25th of May 2018 as the beginning, rather than the end of their GDPR obligations.

A note of caution is sounded in the article in relation to human error, singled out as the main cause of data breaches, and the most difficult to prevent. These errors can circumvent the very best of GDPR processes and procedures, and require organisations to maintain an awareness of their obligations at all times.

The DPC can impose fines for GDPR breaches on a higher or lower tier. Higher tier fines can total €20m or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year. These higher tier fines can be imposed for infringements of obligations relating to the core data protection principles such as transparency and accountability, the processing of sensitive personal data and breaches of data subjects’ rights.

Lower tier fines can total €10m or 2% of the total worldwide annual turnover of the controller or processor in the preceding financial year. These lower tier fines may be imposed for infringements of obligations relating to obtaining a child’s consent, to the communication of a personal data breach to the supervisory authority or the data subject or to the designation, position and tasks of the data protection officers.

Under article 83 of the GDPR the DPC must consider the nature and type of infringement, the intention, any mitigating factors, preventative measures, and the different categories of personal data before imposing a fine. The quantum of any fines must be approved by the Court, and the affected organisations have the entitlement to appeal the fines imposed by the DPC.

From the 25th of May 2018 to the 16th of November 2018, the DPC has logged 3,111 data breach notifications. Of these notifications, the GDPR applied in 2,734 cases. The DPC has also logged 2,168 complaints, with the GDPR applying in 1,321 cases. Sarah Reynolds points out that these figures have increased from last year, indicating a climate of increased awareness of GDPR obligations.

The DPC has yet to exercise its powers, and we do not yet know the parameters for fines relating to breaches of GDPR. Of some guidance, however, is the recent fine of €400,000 doled out to a Portuguese hospital by the Portuguese Data Protection Authority for two separate breaches of GDPR.

A civil claim for damages will also be open to impacted data subjects under section 128 of the Data Protection Act 2018, without lodging a complaint with the DPC. However, Sarah Reynolds suggests that it is more likely that a parallel claim will be lodged with the DPC in