Happy birthday to the GDPR!

The GDPR has been in effect for a year now. What have we learned and what's next?

What's the issue?

As we all know, the GDPR came in on 25 May 2018, introducing a sea change in data protection practices with enhanced rights for individuals and additional obligations on data controllers and processors.

What's the development?

The one year anniversary of the GDPR unleashed a torrent of introspection and reflection but it has been a useful stock-taking time, both to look at the impact the GDPR has had so far, and to highlight some of the issues regulators will be focusing on over the next 12 month period.

The UK's ICO published a blog post in honour of the anniversary and a report on the GDPR's first year. Unsurprisingly, last year saw a significant uptake of individuals exercising their data privacy rights. There was also an increase in data breach reports, with 14,000 received by the ICO in the first eleven months of the GDPR. Of these, only 17.5% required further action from the organisation.

The EDPB reports that 144,000 queries and complaints and over 89,000 data breaches have been made under the GDPR. The majority of cases (63%) have now been closed and 37% remain ongoing. The ICO is currently the Lead SA on 93 cases with cross-border implications.

For businesses, there have been a number of areas of change but the most tangible external effect has been felt in the rise of Subject Access Requests. All that publicity around the GDPR paid off and individuals are much more aware of their rights, and are prepared to exercise them.

What does this mean for you?

The ICO has urged organisations to focus on accountability and recruiting DPOs over the coming months, stressing that compliance is an ongoing obligation.

We've also had warnings from other regulators, including the CNIL, that further enforcement is coming. Judging by the number of complaints filed, one of the areas regulators will be looking at is Adtech and the world of real time bidding (see our article for more).

Protecting children's personal data is high on the agenda. The ICO is currently consulting on its draft Age Appropriate Design Code. Direct marketing continues to be a thorny issue, especially in the absence of the ePrivacy Regulation (now not expected to be completed this year). The ICO will be launching a consultation on a Code of Practice in June, together with one on data sharing.

The other big issue on the horizon is data exports. There are cases challenging the EU-US Privacy Shield and the use of Standard Contractual Clauses to transfer personal data to the US, coming up before the General Court and the CJEU respectively in July. Coupled with the stormy waters of Brexit, there could be a considerable amount of change in this space in the autumn.

All in all, this means now is as good a time as any to review your data protection practices and policies with the benefit of a year's experience of the GDPR.