With the General Data Protection Regulation (GDPR) having finally come into force on 25 May, after what seems like an eternity for those of us studying privacy on a daily basis, there is now the significant question of what enforcement will look like. While the EU has a reputation for taking privacy and data protection seriously, to date there have been relatively few actual enforcement actions.

People might say that is because most countries neglected to supply their data protection regulators with big enough sticks, and virtually no carrots, which is why the GDPR was necessary in the first place. But the GDPR brings with it so much more than powers for data protection authorities. It has also created new data subject rights, new obligations for data breach notification, and lots of other operational issues that organisations may be struggling to deal with.

Will data protection authorities expect everyone to be up to speed on day one? Will they be handing out fines left, right and centre? In short, no, they will not. Or, it is pretty unlikely, anyway. We know this because they actually said so.

Europe’s leading data protection authorities have been speaking everywhere and anywhere about their enforcement priorities and they have been remarkably consistent. Smart organisations can examine these statements and come up with some clear findings that ought to guide risk and compliance thinking.

Jul-Sep 2018 Issue

International Association of Privacy Professionals (IAPP)