The GDPR Data Protection Act entered fully into force on 25 May 2018, exactly one year ago. Where do we stand today and what about the dreaded 4% turnover fines? Brecht Malfait, General Manager of digital agency WAX Interactive, part of the SQLI Group, sees that Belgium is already seriously lagging behind.
May 25, 2018 was announced as a contemporary version of the Y2K bug. The world would suddenly be a different place, systems would have to be adapted and any person or entity processing data would witness an earthquake. However, the figures for Belgium suggest otherwise.
In Belgium, since the introduction of the GDPR, an estimated 3,500 information questions have been sent by consumers to businesses, 442 data breaches have been reported, some 150 complaints or requests have been made and more than 100 advisory files have been opened. Currently there are (only) 3,540 Data Protection Officers (DPOs) appointed by companies in our country, who see to it that data is backed up and processed in accordance with the GDPR rules.
While these figures seem to be a good start, there is still a lot of work to be done. The need for advice and guidance remains high. Moreover, despite some very public data leaks, not a single GDPR fine has been handed out to date. This is partly because the privacy committee extensively emphasised in advance that fines will only occur after warnings and in exceptional cases. Another important reason is that it was not until 29 March 2019 (almost 1 year after the date) that the Chamber appointed a GDPR directorate for Belgium (Belgian Data Protection Authority). A rather late measure.
In our country, GDPR control seems slow to start. In order to put Belgium's situation in perspective, let us examine where our neighbouring countries stand.
In the Netherlands, for example, about 400 government organisations each have a DPO. Since July 2018, spot checks have been started in various sectors on the presence of a register of processing activities. Since August 2018, the local Data Protection Authority (DPA) has also ensured the mandatory presence of a DPO in data-sensitive sectors, such as hospitals and healthcare providers or financial institutions.
In 2018, the Dutch DPA received a total of 20,881 reports of data leaks, one third of which were in the healthcare sector. According to the regulator, this is more than double the previous year's figure.
Four fines have also already been imposed: a bank (48,000 euros for violation of the right of access), the National Police (40,000 euros for negligence in cyber security), Uber (600,000 euros for a data breach involving 174,000 Dutch drivers and customers) and a health insurance company (50,000 euros for insufficient control of the identity of persons authorised to consult medical files).
Conclusion: The Netherlands are implementing the new legislation and dare to take decisive action in this regard. Moreover, they are not afraid of official authorities or large companies.
In the past year, more than 20 fines have already been handed out to our southern neighbours. Some of the more striking ones: an online shop (250,000 euros for security problems), a government institution (75,000 euros, also for security problems), a tourism service (30,000 euros for the use of personal data for purposes other than those intended), a call centre (10.000 euros for recording telephone calls and logging biometric data without the employees' permission), the city of Paris (30,000 euros for a data breach), Bouygues Telecom (250,000 euros for a data leakage) and Google (50 million euros; the first GDPR fine to be imposed on a multinational on behalf of 10,000 citizens for data processing that was not in compliance with the GDPR).
In France too, large companies and public authorities are not spared. Although France, as an important member of the European Union, has a greater moral authority than, for example, the Netherlands, it nevertheless shows its willingness to implement and enforce the law. Even a metropolis like Paris had to justify itself before a commission last year.
In Great Britain, too, more than thirty fines have already been handed out, the most notable of which exceed €2.5 million. The biggest names here are Facebook, Yahoo and again … some government agencies. The European data protection agencies have imposed 56 million euros in fines for more than 200,000 reported cases in 31 European countries ... of which €50 million for Google alone (France).
All the countries mentioned are committed to enforcing the data protection regulations of a year ago, without prejudice to their own authorities. With the biggest achievement being the fine of EUR 50 million for Google, the real impact of the GDPR does indeed raise questions. In relative terms, the 4% claim is not that bad, but the authorities involved do let it be known that they are still just "warming up".
However, this warm-up in Belgium seems to be a measure for nothing for the time being. The mere fact that the Netherlands report up to 40 times more data leaks than Belgium already provides food for thought. It makes it painfully clear that the various government bodies are still not ready to act on it and (if necessary) sanction the company involved. It is therefore high time that the GDPR committee to get started. If not, many companies will begin to wonder why they have gone through all the trouble of being ready on time.