by Evelien Callewaert
25 May 2018 is already about three months behind us. So, it looks like it is time to evaluate whether the dreaded GDPR fines have actually become a reality. Or can we sleep easy for a bit longer? And what about our neighbouring countries? Time for a look back.
As you may already know, the GDPR has substantial penalties that can amount to a maximum of 20 million euros or 4 percent of the worldwide annual turnover. But are those fines actually being imposed? There have been no problems with fines in Belgium so far, but this can obviously change. The Data Protection Authority (DPA) is still in the process of being reformed. Moreover, the Belgian framework law has only recently been published in the Belgian Official Gazette on 5 September. It is therefore not unlikely that the system of penalties can change drastically. However, there have already been a few examples of what we already saw in our neighbouring countries.
When we cross the border, we see that France is not lagging behind with the imposition of fines. A number of companies were fined heavily last summer. One of those companies received a fine of no less than 250,000 euros for security problems with a web shop. Another organisation was fined because it used personal data for other purposes than originally proposed. Moreover, this did not always involve large companies. A French non-profit organisation was also fined 75,000 euros in June.
In the case of our northern neighbours, people mainly concentrated on warning about the appointment of a mandatory DPO. Government organisations, in particular, were targeted here, but the medical sector was not left unscathed. Moreover, in the Netherlands since August 2018, random checks have been done for the presence of the processing register in many sectors, such as industry and metal, construction, trade, catering, travel organisations, communication, financial services, business services and healthcare. In our view, the processing document is still the basic document for applying the GDPR properly.
Furthermore, the UK and Germany have long had a solid reputation for strictly enforcing regulations, and this also applies to the GDPR. A lot of fines were mercilessly issued. This concerns infringements such as hackings that were not reported to control bodies, selling data to third parties, sending e-mails to wrong recipients and spam e-mails.
The above fines were largely imposed for facts dating from before the GDPR came into effect. The other fines are expected at the start of 2019 and may possibly be even higher and more frequent.
You do not need us to tell you that fear is a poor advisor. It is therefore not necessary to be afraid of the GDPR, but it is important that you follow the rules. Fortunately, Belgium is still a bit behind in sanctioning infringements, but it was the intention to raise awareness in 2018 and to expand the control body further. We can therefore expect that more stringent action will be taken in the coming year against companies that ignore the rules.
We therefore assume that in 2019 there will mainly be reactions to complaints from third parties (such as competitors, dissatisfied customers and (ex) staff) and companies that are hacked. If it turns out that you as a company have made little or no effort and you don't have the right documents, procedures and/or security in place, then fines are a possible consequence. In addition to fines, there are of course other risks associated with the GDPR, such as the mandatory discontinuation of activities, data loss due to hacking or loss of reputation.
Our team of specialists will gladly help you to get the most necessary and most urgent elements in order. For example, in legal terms, you must have a register of processing activities, a procedure in case of data leaks, procedures for dealing with the rights of data subjects and a privacy statement with which you communicate your GDPR policy transparently to the outside world. On the IT level, it is important to work out a sound security policy, something that our specialists are happy to support. In addition, we advise you to appoint an (external) data protection officer (DPO). Although this is not mandatory, the GDPR is a neverending story that must be continuously monitored and followed up.
Are you still not convinced of the GDPR or are you against preparing for it? Try to consider the GDPR as an opportunity to make your processes and handling data more efficient. An audit by our multidisciplinary team can reassure you both now and in the future and provide the necessary recommendations.
Evelien Callewaert
Senior Advisor Legal evelien.callewaert@vdl.be
Disclaimer
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
Read our latest insights and news releases to stay abreast of changes in your industry.