The introduction of GDPR led to one of the biggest frenzies in corporate activity we’ve seen in quite some time. A lot of it quite unnecessary and hysterical, based on incomplete information and bad advice.
Sure, it was necessary to get ready for GDPR and to ensure that we were compliant. The really important point is that it still is.
But the tendency for some might be to think that GDPR came and GDPR went and the sky didn’t fall in and the world didn’t end and, well, nothing much happened.
Well, that is nothing much has happened yet.
But the absence of evidence is not evidence of absence.
We are still in the very early days of GDPR implementation. We’ve known it was coming for over two years (the GDPR was actually passed into law in May 2016 but it was given a two year lead time in order to enable businesses to get ready.) And so we have been told in no uncertain terms that, as there was such a long lead time, there would be no grace period and the law would be enforced in full from the outset.
But even then, legal enforcement isn’t something we are likely to see the results of overnight. It will take time before we will see the results of reported cases, and public reports of what penalties are likely to be imposed.
But that does not mean we can be complacent in the meantime.
So, to get an idea of what non-compliance with article 27 of the GDPR might look like we have to go back in time a little to a case involving WhatsApp.
WhatsApp were taken to task by the Dutch government under the Dutch laws that preceded GDPR which included a provision similar to article 27 which require a controller processing data on behalf of data subjects based in the Netherland to have a presence in that jurisdiction. WhatsApp didn’t.
The Dutch data protection authority issued WhatsApp with a compliance order an imposed a penalty of €10,000.00 for each day that they failed to comply. WhatsApps then appealed to the Dutch Administrative Court who ruled against them and so, presumably, they must have ended up with a hefty legal bill into the bargain.
That was back in 2016 and under the data protection laws that preceded GDPR. The really important thing to note here is that the GDPR strengthened and increased EU the system of fines for enforcement of data protection laws.
So while the WhatsApp case is the closest thing to a precedent that we currently have in this area, the system of fines under GDPR is only likely to go one way, and that is up.
Now WhatsApp is owned by Facebook, and presumably, this kind of thing, while embarrassing, is relatively small beer for them in the grander scheme of things.
Could you say the same about your business?
There’s a very interesting piece with some more detail on the WhatsApp case here.