GDPR Action and Fines So Far
It’s important to have a paper shredding organisation to help ensure there are no data protection breaches at the point of disposal of paper-based records. Many organisations are acutely aware of their obligations under the GDPR. However, as time goes by, it’s easy to become blasé and forget just how important the GDPR is.
Part of this is because the media went crazy over the implementation of GDPR. We focused heavily on what needed to comply in the approach of 25th May 2018. The same media attention isn’t being paid to the enforcement actions (including fines and compliance actions) which have taken place in recent months.
Impact of data protection infringements
In the worst case scenario, fines for breaching the GDPR can be equivalent to 4% of an organisation’s annual global turnover, or up to €20 million. It should, however, be noted that fines can be to the highest of these two amounts.
In fact, this is really quite a worrying problem. According to the EU GDPR Implementation Review Survey undertaken by IT Governance, the majority of organisations still weren’t implementing the regulations six months after introduction. Indeed, only 29% of those surveyed reported that they had implemented all necessary changes.
It’s not surprising, therefore, that we are already seeing quite notable enforcement action under the GDPR.
Infringements of GDPR
There was an initial flurry of complaints under the GDPR. This saw claims brought against big names such as Facebook, WhatsApp and Instagram. However, the media didn’t particularly pick up on these. In total, 67 enforcement actions were brought by the ICO last year.
Yet, Mr. Buttarelli, the European Data Protection Supervisor, in October said that they expected to see the first sanctions, specifically to do with GDPR infringements, by the end of 2018.
That turned out to be the case, with the first European-wide fine imposed in Austria against a betting shop. This was connected to the misuse of a security camera. However, from there, further fines have followed.
It’s also been interesting to see that so far, the fines imposed have been on the conservative side. However, with larger scale data leaks of high profile companies of recent months such as British Airways, we could well start to see much firmer fines.
Action in the UK
Looking at the UK specific action and fines, the future is perhaps even more concerning. Two examples stand out.
The first was against Uber. The ICO fined Uber £385k in November 2018 for personal data leaks which occurred during a cyber-attack.
A notice was given by the ICO to AggregateIQ Data Services Ltd which is actually a Canadian company using personal data for marketing. The ICO has requested the company stops using EU data.
At the moment, paper records seem to be comfortably away from the spotlight. It makes sense that this would be the case because the GDPR extended previous data protection legislation specifically so that it afforded greater protection in the digital age.
However, that doesn’t mean we can get lazy regarding how we handle paper-based personal data and ensure its protection.
One of the biggest risks concerning paper-based records is at the point of disposal. It’s relatively simple and straight-forward to have filing systems and protocols which keep relevant and current paper documentation secure. When you need to dispose of it because it is no longer relevant, or the data subject has requested its destruction or deletion, using a paper shredding organisation is the perfect solution.