Speaking at the IAPP Data Protection Intensive 2019 conference in London, a panel discussion on the first year of GDPR and “What Actions Have Been Taken?” explored how over €55m has been handed out in fines, although the majority of that was the €50m levied at Google. The last year has also seen data protection authorities more than double their head counts.
Moderator Vivienne Artz, chief policy officer of Refinitiv, reflected on data relating to investigations, reports and financial penalties since GDPR came into force. She said that in the UK, 206,326 total cases had been reported, of which 94,000 were complaints and 64,000 were data breach notifications. Of these, 52% had been concluded.
Artz went on to ask the panelists how they had adapted to life under GDPR. Stephen Eckersley, director of investigations at the UK Information Commissioner’s Office, said that the ICO had increased staff numbers from 380 to 700, while Jay Fedorak, information commissioner of the Jersey Channel Islands, added that staff had increased from four to nine people.
Eckerlsey explained that teams were added to deal with “the cyber problem” of breaches and state sponsored attacks, while teams were investigating “criminal breaches of the Data Protection Act and Freedom of Information Act” and regulating the NIS Directive.
Fedorak, who was formerly an assistant to current UK information commissioner Elizabeth Denham, said that there were ambitions of growing beyond 60 people for the 110,000+ population of the Channel Islands.
Eckersley said that a lot of the work since May 25 2018 had been on “legacy cases” and he acknowledged that issuing fines was “not only way to regulate,” but it was investigating: gathering evidence, reacting quickly and dealing with reports from data controllers and from the media.
Explaining how an investigation comes together, he said that an investigating team finds evidence and speaks to the data controller, looks for policy and procedures and it “all ends up in the same place – enforcement action.” This team then pulls the case together, which goes to the delegated authority, and a regulatory panel determines the size of the fine.
He said: “There were five bands under the 1998 DPA, and we are considering our options of continuing that approach or working with our colleagues in The Netherlands and Norway, and harmonizing the calculation of fines.”
Looking at the first year under the GDPR, Eckersley said: “There is a lot of work to be done, but we’ve got established processes,” he said. “It’s quite an exciting time to work at the ICO.”
Appearing via video link, Mathias Moulin, director of rights protection and sanctions directorate at the Commission nationale de l'informatique et des libertés, said that prioritization with colleagues was important, and regulation was pushing that as it was a “natural” expectation of GDPR to prioritize European cooperation for complaints “as we have a limited time limit to handle complaints.”
Commenting on the shift from data loss to other types of privacy breach (94,000 to 64,000), Moulin said that there is “still room to improve the processes of contact.”
Asked by an audience member if there is a problem of over reporting, Ecklersley said that the ICO recognized that it needed a dedicated team and in the first month of GDPR, 1700 breaches were reported and while it has levelled to 380-400 a month, “it more and more clarifies what GDPR is saying.”