Как долго можно будет игнорировать GDPR?
Как показывают данные опроса компании по исследованию общественного мнения SKDS, полное юридическое соответствие требованиям GDPR обеспечили только 39,3% предпринимателей[1], что свидетельствует либо о представлении, что требования GDPR можно не применять и никаких санкций за этим не последует, или о недостаточном понимании GDPR, его значимости и целях. В этой связи представляется важным проинформировать о динамике жалоб и штрафов и Европейском Союзе в целом, и в Латвии в частности.
According to the statistics of the State Data Inspectorate (GID)[2] for the period from the date of adoption of the GDPR until August 31, 2018, the GID received:
- 880 complaints and allegations of illegal actions with the data of an individual;
- 464 information questions on the compliance of the processing of personal data with regulatory regulation;
- 11 reference requests;
- 20 notifications of violation of the protection of personal data;
- 300 notifications on the appointment of a personal data protection officer;
Taking into account the fact that in 2017 the GID conducted 927 inspections, which was already 55% more, compared to 2016[3], we can expect that in 2018 the number of inspections will be even greater.
Similar trends are observed in other countries of the European Union - when residents began to think more about the security of their data and the right to their protection. On 25 January 2019, a joint communication from the European Commission was published[4] stating that since the entry into force of the GDPR, the data protection institutions of the Member States of the European Union have received more than 95,000 complaints from residents. Most of the complaints were filed in connection with data processing in telemarketing, advertising e-mails and video surveillance. In turn, more than 41,000 reports were filed in connection with the violation of the protection of personal data, which must be notified to the relevant national data protection authority within 72 hours from the moment when the violation became known.
The data protection institutions of the European Union countries began to issue the first decisions on data protection violations in the autumn. One of the first fines in the amount of EUR 4800 was applied in Austria against a certain company that installed its video cameras in such a way that their angle of view covered the sidewalk, which means that in violation of the requirements of the GDPR, public space was filmed. [5] In October 2018, the Portuguese data protection authority imposed a fine of a total of EUR 400,000 on a hospital in Lisbon for three violations of the GDPR, establishing that the patients' information was available to an unlimited number of people and that the basic principles of processing were not observed, that technical organizational measures were not applied to prevent unauthorized access to personal data, and by failing to ensure the continued confidentiality, integrity, availability and sustainability of treatment systems and services. [6] The British data protection agency - Information Commisioner's Office, since the date of application of the GDPR, has already applied 27 fines[7], in turn, the largest fine before that was applied in France: on January 21, 2019, the French data protection agency, having considered the complaints of the two associations (received on the first day of application of the GDPR - May 25, 2018), applied a fine of more than 50 million euros to GOOGLE LLC for failure to ensure the principle of transparency the processing of personal data and the inappropriate consent of the data subject in relation to the receipt of personalised commercial notifications. [8]
Implementing policy advice first, from the first day of GDPR application, the GID has mainly been actively involved in building understanding about the GDPR and in providing explanations to merchants, individuals and public institutions. Therefore, so far no fines have been applied in Latvia in connection with violations of the GDPR, however, as evidenced by the latest information, more than 30 cases of administrative violation have already been initiated in Latvia, in which a decision on the imposition of a fine can be made.
Many believe that if the enterprise is small, then the requirements of the GDPR are not necessary to fulfill and that the GID will not check such enterprises. Indeed, it is large companies with a large amount of personal data that will be the objects of such checks in the first place. But the main purpose of the GDPR is not to conduct checks that complicate the life of entrepreneurs, namely to prevent the leakage of personal data. Such a leak can occur in any enterprise, even if only one employee works on it, if someone has gained unauthorized access to his data. The implementation of the GDPR does not guarantee the impossibility of data leakage, but reduces this risk to a minimum.
The penalty for non-compliance with the GDPR can be relatively small, but the penalty for the leakage of personal data of even one person will already be several times greater. In the event of a leak, among other factors, it is the preliminary work carried out to implement the GDPR in a particular enterprise that will be decisive in determining the amount of the fine. It is not difficult to predict that companies (officials) where the leak occurred and no work was carried out under the GDPR may be found guilty of gross negligence, and, accordingly, will pay significantly higher fines, while those will be companies (officials) where the GDPR is fully implemented, will be able to limit themselves to a warning or a relatively small fine.
Therefore, a company that does not comply with the requirements of the GDPR can be compared to a driver who does not wear a seat belt – both in case of an accident, the implementation of this simple rule can save a life, and in the event of a data leak, preliminary work on the implementation of the GDPR can insure against serious losses.
[1] turpat
[2]https://www.lps.lv/uploads/docs_module/Daiga_Avdejanova_VDPR_regulas_ieviesana.pdf
[4]http://europa.eu/rapid/press-release_STATEMENT-19-662_lv.htm
[5]https://digital.freshfields.com/post/102f39w/first-gdpr-fine-issued-by-austrian-data-protection-regulator
[6]https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/
[7]https://ico.org.uk/action-weve-taken/enforcement/
[8]https://www.dvi.gov.lv/lv/zinas/francijas-datu-aizsardzibas-uzraudzibas-iestade-cnil-uzliek-google-llc-naudas-sodu-50-miljonu-eiro-apmera/